317 69 2MB
English Pages 212 Year 2000
SSL and TLS Essentials Securin g th e Web
Steph en Th om as
SSL & TLS Essentials Securing the Web
Stephen A. Thomas
Wiley Computer Publishing John Wiley & Sons, Inc. New York • Chichester • Weinheim • Brisbane • Singapore • Toronto
Publisher: Robert Ipsen Editor: Marjorie Spencer Assistant Editor: Margaret H endrey Text Design & Composition: Stephen Thomas Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where John W iley & Sons, Inc., is aware of a claim, the product names appear in initial capital or ALL CAP I TAL LE T T ERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2000 by Stephen A. Thomas. All rights reserved. Published by John W iley & Sons, Inc. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood D rive, Danvers, M A 0 1923, (978) 7508400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the Permissions Department, John W iley & Sons, Inc., 605 Third Avenue, New York, N Y 10 158-00 12, (212) 850-60 11, fax (212) 850-6008, email P ERM p REQ qW I LE Y.COM . This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in professional services. If professional advice or other expert assistance is required, the services of a competent professional person should be sought. Library of Congress Cataloging-in-Publication D ata:
Thomas, Stephen A., 1962SSL and T LS essentials : securing the Web / Stephen A. Thomas. p. cm. Includes index. I SBN 0-471-38354-6 (pbk./cd-rom : alk. paper) 1. Computer networks--Security measures. 2. World W ide Web--Security measures. 3. Computer network protocols. I. T itle. T Kt105.59 .T 9 2000 005.8--dc21 99-058910 Printed in the United States of America. 10
9 8 7 6 54 32
1
For Kelsie, Zookeeper of Mango the Flamingo.
Contents
Chapter 1: Introduction
1.1 1.2 1.3
1.4
1.5
Web Security and Electronic Commerce H istory of SSL and T LS Approaches to Network Security 1.3.1 Separate Security Protocol 1.3.2 Application-Specific Security 1.3.3 Security within Core Protocols 1.3.4 Parallel Security Protocol Protocol Limitations 1.4.1 Fundamental Protocol Limitations 1.4.2 Tool Limitations 1.4.3 Environmental Limitations Organization of This Book
Chapter 2: Basic Cryptography
2.1
2.2
2.3
Using Cryptography 2.1.1 Keeping Secrets 2.1.2 Proving Identity 2.1.3 Verifying Information Types of Cryptography 2.2.1 Secret Key Cryptography 2.2.2 Public Key Cryptography 2.2.3 Combining Secret & Public Key Cryptography Key Management 2.3.1 Public Key Certificates 2.3.2 Certificate Authorities 2.3.3 Certificate H ierarchies 2.3.4 Certificate Revocation Lists
1
2 4 6 8 9 10 11 12 12 13 14 14 17
18 18 19 20 21 22 24 27 29 29 31 33 35
ix
x
SSL & TLS Essentials: Securing the Web
Chapter 3: SSL Operation
3.1 3.2 3.3
3.4 3.5
3.6
3.7
3.8
SSL Roles SSL Messages Establishing Encrypted Communications 3.3.1 ClientH ello 3.3.2 ServerH ello 3.3.3 ServerKeyExchange 3.3.4 ServerH elloDone 3.3.5 ClientKeyExchange 3.3.6 ChangeCipherSpec 3.3.7 Finished Ending Secure Communications Authenticating the Server’s Identity 3.5.1 Certificate 3.5.2 ClientKeyExchange Separating Encryption from Authentication 3.6.1 Certificate 3.6.2 ServerKeyExchange 3.6.3 ClientKeyExchange Authenticating the Client’s Identity 3.7.1 CertificateRequest 3.7.2 Certificate 3.7.3 CertificateVerify Resuming a Previous Session
Chapter 4: Message Formats
4.1 4.2 4.3 4.4
4.5
Transport Requirements Record Layer ChangeCipherSpec Protocol Alert Protocol 4.4.1 Severity Level 4.4.2 Alert Description H andshake Protocol 4.5.1 H elloRequest 4.5.2 ClientH ello
37
37 38 39 41 43 45 45 45 46 51 52 52 55 56 56 59 59 59 60 61 62 63 64 67
68 69 71 72 72 73 74 76 77
Contents
xi
4.6
4.7
4.5.3 ServerH ello 4.5.4 Certificate 4.5.5 ServerKeyExchange 4.5.6 CertificateRequest 4.5.7 ServerH elloDone 4.5.8 ClientKeyExchange 4.5.9 CertificateVerify 4.5.10 Finished Securing Messages 4.6.1 Message Authentication Code 4.6.2 Encryption 4.6.3 Creating Cryptographic Parameters Cipher Suites 4.7.1 Key Exchange Algorithms 4.7.2 Encryption Algorithms 4.7.3 H ash Algorithms
Chapter 5: Advanced SSL
5.1
5.2
5.3
5.4
Compatibility with Previous Versions 5.1.1 Negotiating SSL Versions 5.1.2 SSL Version 2.0 ClientH ello 5.1.3 SSL Version 2.0 Cipher Suites Netscape International Step-Up 5.2.1 Server Components 5.2.2 Client Components 5.2.3 Controlling Full-Strength Encryption Microsoft Server Gated Cryptography 5.3.1 Server Gated Cryptography Certificates 5.3.2 Cipher Suite Renegotiation The Transport Layer Security Protocol 5.4.1 TLS Protocol Version 5.4.2 Alert Protocol Message Types 5.4.3 Message Authentication 5.4.4 Key Material Generation 5.4.5 CertificateVerify 5.4.6 Finished
79 80 81 84 85 85 88 90 92 93 95 96 102 103 104 104 105
105 106 109 110 111 112 112 113 115 115 115 117 118 118 121 123 125 126
xii
SSL & TLS Essentials: Securing the Web
5.5
5.4.7 Baseline Cipher Suites 5.4.8 Interoperability with SSL The Future of SSL and T LS
Appendix A: X.509 Certificates
A.1 X.509 Certificate O verview A.1.1 Version A.1.2 Serial Number A.1.3 Algorithm Identifier A.1.4 Issuer A.1.5 Period of Validity A.1.6 Subject A.1.7 Subject’s Public Key A.1.8 Issuer Unique Identifier A.1.9 Subject Unique Identifier A.1.10 Extensions A.1.11 Signature A.2 Abstract Syntax Notation One A.2.1 Primitive O bjects A.2.2 Constructed O bjects A.2.3 The O bject Identifier H ierarchy A.2.4 Tagging A.2.5 Encoding Rules A.3 X.509 Certificate Definition A.3.1 The Certificate O bject A.3.2 The Version O bject A.3.3 The CertificateSerialNumber O bject A.3.4 The AlgorithmIdentifier O bject A.3.5 The Validity O bject A.3.6 The SubjectPublicKeyInfo O bject A.3.7 The T ime O bject A.3.8 The Extensions O bject A.3.9 The UniqueIdentifier O bject A.3.10 The Name O bject A.4 Example Certificate
126 128 128 131
132 132 133 133 133 133 134 134 134 134 135 135 135 136 136 137 139 142 145 145 146 147 147 148 148 149 149 150 150 152
Contents
xiii
Appendix B: SSL Security Checklist
B.1
B.2
B.3
Authentication Issues B.1.1 Certificate Authority B.1.2 Certificate Signature B.1.3 Certificate Validity T imes B.1.4 Certificate Revocation Status B.1.5 Certificate Subject B.1.6 Diffie-H ellman Trapdoors B.1.7 Algorithm Rollback B.1.8 D ropped ChangeCipherSpec Messages Encryption Issues B.2.1 Encryption Key Size B.2.2 Traffic Analysis B.2.3 The Bleichenbacher Attack General Issues B.3.1 RSA Key Size B.3.2 Version Rollback Attacks B.3.3 Premature Closure B.3.4 SessionID Values B.3.5 Random Number Generation B.3.6 Random Number Seeding
References
Protocol Standards Certificate Formats Cryptographic Algorithms SSL Implementations
161
161 162 163 163 163 163 164 164 165 166 166 167 168 170 170 171 171 172 172 173 175
175 176 177 178
Glossary
179
Index
191
1 Introduction
Today alone, Dell Computer will sell more than $18 million worth of computer equipment through the Internet. In 1999, nine million Americans traded stocks online, accounting for one-third of all retail stock trades. And more than 200,000 Web sites worldwide (including sites belonging to 98 of the Fortune 100) can accept e-commerce transactions. Commercial use of the Web continues to grow at an astonishing pace, and securing Web transactions has become increasingly critical to businesses, organizations, and individual users. Fortunately, an extremely effective and widely deployed communications protocol provides exactly that security. It is the Secure Sockets Layer protocol, more commonly known simply as SSL . The SSL protocol—along with its successor, the Transport Layer Security (T LS) protocol—is the subject of this book. This chapter introduces SSL and T LS, and provides the essential context for both. It begins with a very brief look at Web security and electronic commerce, focusing on the issues that led to the creation of SSL . The next section follows up with a quick history of SSL and its transformation into T LS. The relationship of SSL to other network security technologies is the subject of the third section. The forth section, “Protocol Limitations,” is an important one. Especially with security technologies, it is critical to understand what they cannot do. The chapter closes with an overview of the rest of this book.
1
2
SSL & TLS Essentials: Securing the Web
1.1 Web Security and Electronic Commerce Know the enemy. Sun Tzu could not have offered any advice more appropriate to security professionals. Specific security services are necessarily effective against only specific threats; they may be completely inappropriate for other security threats. To understand SSL , therefore, it is essential to understand the environment for which it has been designed. Even though SSL is a flexible protocol that is finding use in many different applications, the original motivation for its development was the Internet. The protocol’s designers needed to secure electronic commerce and other Web transactions. That environment is certainly perilous enough. Consider, for example, what happens when a user in Berlin places an online order from a Web site in San Jose, California. Table 1- 1 lists the systems through which the user’s messages might pass. Table 1-1 Internet Systems in Path from Berlin to San Jose Step
IP Address
System Name (if known)
1
212.211.70.7
2
212.211.70.254
3
195.232.91.66
4
212.211.30.29
5
206.175.73.45
hil-border1-atm4-0-2.wan.wcom.net
6
205.156.223.41
dub-border1-hss2-0.wan.wcom.net
7
204.70.98.101
8
204.70.98.49
core2-fddi-0.northroyalton.cw.net
9
204.70.9.138
corerouter1.westorange.cw.net
10
204.70.4.101
core5.westorange.cw.net
11
204.70.10.230
sprint4-nap.westorange.cw.net
12
192.157.69.85
sprint-nap.home.net
13
24.7.72.113
c1-pos9-1.cmdnnj1.home.net
14
24.7.67.153
c1-pos6-2.clevoh1.home.net
15
24.7.64.173
c1-pos3-0.chcgil1.home.net
16
24.7.64.141
c1-pos1-0.omahne1.home.net
fra-ppp2-fas1-0-0.wan.wcom.net
borderx1-hssi2-0.northroyalton.cw.net
Introduction
3
Step
IP Address
System Name (if known)
17
24.7.66.173
c1-pos8-3.lnmtco1.home.net
18
24.7.64.57
c1-pos1-0.slkcut1.home.net
19
24.7.66.77
c1-pos5-3.snjsca1.home.net
20
24.7.72.18
bb1-pos6-0-0.rdc1.sfba.home.net
21
172.16.6.194
22
10.252.84.3
23
10.252.10.150
24
209.219.157.152
www.sj-downtown.com
Figure 1- 1 highlights the fact that messages containing the user’s information, including sensitive information such as credit card numbers, may travel a complex path from Germany to California, crossing through many countries, over various networks, and on many different facilities. Some of those facilities are likely to belong to private enterprises, many of which are not subject to any regulation or other laws governing the privacy of the information they transport. Neither the user nor the Web server has any control over the path their messages take, nor can they control who examines the message contents along the route. From a security standpoint, it’s as if the user wrote her credit card number on a postcard and then delivered
Web Server
Web Browser
Figure 1-1 Messages travel complex paths through the Internet.
4
SSL & TLS Essentials: Securing the Web
the postcard as a message in a bottle. The user has no control over how the message reaches its destination, and anyone along the way can easily read its contents. Electronic commerce cannot thrive in such an insecure environment; sensitive information must be kept confidential as it traverses the Internet. Eavesdropping isn’t the only security threat to Web users. It is theoretically possible to divert Web messages to a counterfeit Web site. Such a counterfeit site could provide false information, collect data 1 such as credit card numbers with impunity, or create other mischief. The Internet needs a way to assure users of a Web site’s true identity; likewise, many Web sites need to verify the identity of their users. A final security challenge facing Web users is message integrity. A user placing an online stock trade certainly wouldn’t want his instructions garbled in such a way as to change “Sell when the price reaches $200” to “Sell when the price reaches $20.” The missing zero can make a significant difference in the user’s fortunes.
1.2 History of SSL and TLS Fortunately, engineers were thinking about these security issues from the Web’s beginnings. Netscape Communications began considering Web security while developing its very first Web browser. To address the concerns of the previous section, Netscape designed the Secure Sockets Layer protocol. Figure 1- 2 shows the evolution of SSL in the context of general Web development. The timeline begins in November 1993, with the release of Mosaic 1.0 by the National Center for Supercomputing Applications (N CSA). Mosaic was the first popular Web browser. Only eight months later, Netscape Communications completed the design for _________________ 1 This security threat isn’t unique to the W eb. In Computer-Related Risks (AddisonW esley, 1995), Peter G. Neumann recounts the story of two criminals who set up a bogus AT M in a Connecticut mall. The machine didn’t dispense much cash, but it did capture the account number and P I N of unsuspecting victims. The crooks then fabricated phony AT M cards and allegedly withdrew over $100 000.
Introduction
5
SSL 1.0 design complete SSL 2.0 product ships PCT 1.0 published SSL 3.0 published TLS WG formed 1993
1994 NCSA Mosaic released
1995
1996
TLS 1.0 published 1997
1998
1999
Internet Explorer released Netscape Navigator released
Figure 1-2 SSL was developed along with early Web browsers.
version 1.0; five months after that, Netscape shipped the first product with support for SSL version 2.0—Netscape Navigator. SSL
O ther milestones in the timeline include the publication of version 1.0 of the Private Communication Technology (P CT ) specification. Microsoft developed P CT as a minor enhancement to SSL version 2.0. It addressed some of the weaknesses of SSL 2.0, and many of its ideas were later incorporated into SSL version 3.0. The later events on the timeline represent a shift in focus for the SSL standard. Netscape Communications developed the first three versions of SSL with significant assistance from the Web community. Although SSL ’s development was open, and Netscape encouraged others in the industry to participate, the protocol technically belonged to Netscape. (Indeed, Netscape has been granted a U uS. patent for SSL .) Beginning in May 1996, however, SSL development became the responsibility of an international standards organization—the Internet Engineering Task Force (I E T F ). The I E T F develops many of the protocol standards for the Internet, including, for example, T CP and I P .
6
SSL & TLS Essentials: Securing the Web
To avoid the appearance of bias toward any particular company, the I E T F renamed SSL to Transport Layer Security (T LS). The final version of the first official T LS specification was released in January 1999. Despite the change of names, T LS is nothing more than a new version of SSL . In fact, there are far fewer differences between T LS 1.0 and SSL 3.0 than there are between SSL 3.0 and SSL 2.0. Section 5.4 details the differences between SSL and T LS, but check the sidebars for more information. Support for SSL is now built in to nearly all browsers and Web servers. For users of Netscape Navigator or Microsoft’s Internet Explorer, SSL operates nearly transparently. O bservant users might notice the “https:” prefix for an SSL -secured UR L , or they may see a small icon that each browser displays when SSL is in use. (Figure 1- 3 shows the padlock symbol that Internet Explorer displays in the bottom status bar; Navigator shows a similar icon.) For the most part, however, SSL simply works, safely providing confidentiality, authentication, and message integrity to its Web users. Today’s popular Web servers also include support for SSL . It’s usually a simple task to enable SSL in the server. As we’ll see, though, to support secure Web browsing, a Web server must do more than simply enable the SSL protocol. The server must also obtain a public key certificate from an organization that Web browsers trust. For users on the public Internet, those organizations are generally public certificate authorities. Popular certificate authorities include AT &T Certificate Services, GT E CyberTrust, KeyW itness International, Microsoft, Thawte Consulting, and VeriSign. The next chapter includes further discussions of certificate authorities (primarily in section 2.3.2), and appendix A provides details on public key certificates.
1.3 Approaches to Network Security The Secure Sockets Layer protocol provides effective security for Web transactions, but it is not the only possible approach. The Internet architecture relies on layers of protocols, each building on the services of those below it. Many of these different protocol layers can
SSL vs. TLS Because SSL is more widely used and much better known than TLS, the main text of this book describes SSL rather than TLS. The differences between the two are very minor, however. Sidebars such as this one will note all those differences.
Introduction
7
Figure 1-3 Web browsers such as Internet Explorer include SSL.
support security services, though each has its own advantages and disadvantages. As we’ll see in this section, the designers of SSL chose to create an entirely new protocol layer for security. It is also possible to include security services in the application protocol or to add them to a core networking protocol. As another alternative, applications can rely on parallel protocols for some security services. All of these options have been considered for securing Web transactions, and actual protocols exist for each alternative. Table 1- 2 summarizes the advantages of each approach, and this section considers each of the possible approaches in more detail. Table 1-2 Different Approaches to Network Security Protocol Architecture
Example
A
B
C
D
E
Separate Protocol Layer
SSL
Application Layer
S-HTTP
Integrated with Core
IPSEC
Parallel Protocol
Kerberos
Benefits:
A – Full Securit y B – Multiple Applications C – Tailored Services D – Transparent to Application E – Easy to Deploy
8
SSL & TLS Essentials: Securing the Web
1.3.1 Separate Security Protocol The designers of the Secure Sockets Layer decided to create a separate protocol just for security. In effect, they added a layer to the Internet’s protocol architecture. The left side of figure 1- 4 shows the key protocols for Web communications. At the bottom is the Internet Protocol (I P ). This protocol is responsible for routing messages across networks from their source to their destination. The Transmission Control Protocol (T CP ) builds on the services of I P to ensure that the communication is reliable. At the top is the H ypertext Transfer Protocol; H T T P understands the details of the interaction between Web browsers and Web servers. As the right side of the figure indicates, SSL adds security by acting as a separate security protocol, inserting itself between the H T T P application and T CP . By acting as a new protocol, SSL requires very few changes in the protocols above and below. The H T T P application interfaces with SSL nearly the same way it would with T CP in the absence of security. And, as far as T CP is concerned, SSL is just another application using its services. In addition to requiring minimal changes to existing implementations, this approach has another significant benefit: It allows SSL to support applications other than H T T P . The main motivation behind the development of SSL was Web security, but, as figure 1- 5 shows, SSL Not Secure
Secure
HTTP
HTTP
SSL
TCP
TCP
IP
IP
Figure 1-4 SSL is a separate protocol layer just for security.
Introduction
9
HTTP
NNTP
FTP
SSL
TCP
IP
Figure 1-5 SSL can add security to applications other than HTTP.
is also used to add security to other Internet applications, including those of the Net News Transfer Protocol (N N T P ) and the File Transfer Protocol (F T P ).
1.3.2 Application-Specific Security Although the designers of SSL chose a different strategy, it is also possible to add security services directly in an application protocol. Indeed, standard H T T P does include some extremely rudimentary security features; however, those security features don’t provide adequate protection for real electronic commerce. At about the same time Netscape was designing SSL , another group of protocol designers was working on an enhancement to H T T P known as Secure H T T P . Figure 1- 6 shows the resulting protocol architecture. The Secure H T T P standard has been published by the I E T F as an experimental Not Secure
HTTP
Secure
HTTP
TCP
TCP
IP
IP
security
Figure 1-6 Security can be added directly within an application protocol.
10
SSL & TLS Essentials: Securing the Web
protocol, and a few products support it. It never caught on to the same degree as SSL , however, and oday it is rare to find Secure H T T P anywhere on the Internet. One of the disadvantages of adding security to a specific application is that the security services are available only to that particular application. Unlike SSL , for example, it is not possible to secure N N T P , F T P , or other application protocols with Secure H T T P . Another disadvantage of this approach is that it ties the security services tightly to the application. Every time the application protocol changes, the security implications must be carefully considered, and, frequently, the security functions of the protocol must be modified as well. A separate protocol like SSL isolates security services from the application protocol, allowing each to concentrate on solving its own problems most effectively.
1.3.3 Security within Core Protocols The separate protocol approach of SSL can be taken one step further if security services are added directly to a core networking protocol. That is exactly the approach of the I P security (I P SEC ) architecture; full security services become an optional part of the Internet Protocol itself. Figure 1- 7 illustrates the I P SEC architecture. The I P SEC architecture has many of the same advantages as SSL . It is independent of the application protocol, so any application may use it. In most cases, the application does not need to change at all to Not Secure
Secure
HTTP
HTTP
TCP
TCP
IP
IP with IPSec
Figure 1-7 IPSEC adds security to a core network protocol.
Introduction
11
take advantage of I P SEC . In fact, it may even be completely unaware that I P SEC is involved at all. This feature does create its own challenges, however, as I P SEC must be sufficiently flexible to support all applications. This complexity may be a big factor in the delays in development and deployment of I P SEC. Another concern with the I P SEC approach is that it provides too much isolation between the application and security services. At least in its simplest implementations, I P SEC tends to assume that secure requirements are a function of a particular system, and that all applications within that system need the same security services. The SSL approach provides isolation between applications and security, but it allows some interaction between the two. The internal behavior of an application such as H T T P need not change when security is added, but the application typically has to make the decision to use SSL or not. Such interaction makes it easier for each application to direct the security services most appropriate to its needs. Despite these drawbacks, I P SEC adds powerful new security tools to the Internet, and it will undoubtedly see widespread deployment. The SSL protocol, however, has significant benefits as well, and its deployment is also expected to grow substantially in the future.
1.3.4 Parallel Security Protocol There is yet a fourth approach to adding security services to an application—a parallel security protocol. The most popular example of this strategy is the Kerberos protocol developed by the Massachusetts Institute of Technology. Researchers developed Kerberos to provide authentication and access control for resources in a distributed environment. The Kerberos protocol acts as a toolkit that other protocols can use for those security services. A remote login protocol such as Telnet, for example, can use Kerberos to securely identify its user. In the very early days of Web browser development, some effort was made to incorporate Kerberos support within H T T P . Figure 1- 8 shows the resulting architecture. This work was never completed, though. Instead, there have been recent efforts to combine Kerberos with T LS. In such applications, Kerberos provides a trusted key exchange
12
SSL & TLS Essentials: Securing the Web
Not Secure
HTTP
Secure
HTTP
Kerberos
TCP
TCP and UDP
IP
IP
Figure 1-8 Kerberos supplements application protocols.
mechanism for Transport Layer Security. Note, though, that Kerberos alone is not a complete security solution. It does not have access to the actual information exchanged by the communicating parties. W ithout that access, Kerberos cannot provide encryption and decryption services.
1.4 Protocol Limitations The SSL protocol, like any technology, has its limitations. And because SSL provides security services, it is especially important to understand its limits. After all, a false sense of security may be worse than no security. The limitations of SSL fall generally into three categories. First are fundamental constraints of the SSL protocol itself. These are a consequence of the design of SSL and its intended application. The SSL protocol also inherits some weaknesses from the tools its uses, namely encryption and signature algorithms. If these algorithms have weaknesses, SSL generally cannot rehabilitate them. Finally, the environments in which SSL is deployed have their own shortcomings and limitations, some of which SSL is helpless to address.
1.4.1 Fundamental Protocol Limitations Though its design includes considerations for many different applications, SSL is definitely focused on securing Web transactions. Some of its characteristics reflect that concentration. For example,
Introduction
13
of its characteristics reflect that concentration. For example, SSL requires a reliable transport protocol such as T CP . That is a completely reasonable requirement in the world of Web transactions, because the H ypertext Transfer Protocol itself requires T CP . The decision means, however, that SSL cannot operate using a connectionless transport 2 protocol like UDP . W ith this significant exception, Web transactions are representative of general network computing environments. The SSL protocol, therefore, can effectively accommodate most common applications quite well. Indeed, SSL is in use today for securing various applications, including file transfer, network news reading, and remote login. Another role that SSL fails to fill is support for a particular security service known as non-repudiation. Non-repudiation associates the digital equivalent of a signature with data, and when used properly, it prevents the party that creates and “signs” data from successfully denying that after the fact. The SSL protocol does not provide nonrepudiation services, so SSL alone would not be appropriate for an application that required it.
1.4.2 Tool Limitations The Secure Sockets Layer is simply a communication protocol, and any SSL implementation will rely on other components for many functions, including the cryptographic algorithms. These algorithms are the mathematical tools that actually perform tasks such as encryption and decryption. No SSL implementation can be any stronger than the cryptographic tools on which it is based. As of this writing, SSL itself has no known significant weaknesses. Some common cryptographic algorithms, however, have been successfully attacked, at least in the context of academics or other research. (There are no publicly acknowledged cases of anyone _________________ 2 Although neither SSL nor T LS can use UD P , the W ireless Application Forum, an industry group developing standards for Internet access protocols for wireless devices such as mobile phones, has created a variation of T LS known as W ireless T LS (W T LS), which can support UD P . More information is available at http://www.wapforum.org.
14
SSL & TLS Essentials: Securing the Web
exploiting these theoretical weaknesses in a commercial context.) Appendix B describes the publicly reported attacks in more detail, but, in general, SSL implementations must consider not only the security of SSL , but also that of the cryptographic services on which it is built.
1.4.3 Environmental Limitations A network protocol alone can only provide security for information as it transits a network. No network protocol protects data before it is sent or after it arrives at its destination. This is the only known weakness in Web security that has been successfully exploited in an actual commercial setting. Unfortunately, it has been exploited more 3 than once. Security in any computer network, whether the public Internet or private facilities, is a function of all the elements that make up that network. It depends on the network security protocols, the computer systems that use those protocols, and the human beings who use those computers. No network security protocol can protect against the confidential printout carelessly left on a cafeteria table. The Secure Sockets Layer protocol is a strong and effective security tool, but it is only a single tool. True security requires many such tools, and a comprehensive plan to employ them.
1.5 Organization of This Book Four more chapters and two appendices make up the rest of this book. Chapter 2 looks at some of the essential principles of cryptography and cryptographic algorithms. Although, strictly speaking, these algorithms are not part of the SSL protocol, a good bit of the protocol’s design depends on general cryptographic principles. W ithout getting too deep into the mathematics of cryptography, chapter 2 _________________ 3 See, for example, the 8 November 1996 edition of T he Wall Street Journal (page B b) or the 11 July 1997 issue of T he San Francisco Chronicle (page Cc).
Introduction
15
examines those essential principles. Chapter 3 begins the examination of SSL in earnest. It describes the SSL protocol in operation. It discusses the contents of SSL messages, but only in general terms. The chapter explains what SSL does without getting bogged down in the details of how it does it. Chapter 4, on the other hand, focuses exclusively on those details. It documents the format of all SSL messages, as well as the cryptographic calculations SSL uses to construct them. Chapter 5 provides additional details about SSL . It describes how the current version of SSL operates with previous SSL versions, and how Netscape and Microsoft have each augmented SSL with techniques that promote strong encryption worldwide, while adhering to United States export restrictions. This chapter also provides complete coverage of Transport Layer Security, detailing all the differences between T LS and SSL . Appendix A provides additional details on public key certificates. These certificates, which conform to the Xx standard, are critical to the operation of SSL , even though they are not part of the protocol itself. The appendix includes a brief introduction to Abstract Syntax Notation One, the language that the Xx standard uses to document certificates. Appendix B presents a security checklist for SSL . It includes a list of good practices for the development of SSL implementations, and defenses against all known attacks against SSL secured systems.
2 Basic Cryptography
The Web may be a relatively new way to communicate, but securing the Web relies on the same principles that have secured other communications media for thousands of years. In fact, the digital nature of the Web actually makes it easier to apply these techniques. In addition, systems on the Web can take advantage of new and powerful security technology. This chapter takes a brief look at the important principles that govern communications security. The scientific discipline that studies communications security is cryptography, and several concepts from modern cryptography are indispensable to the Secure Sockets Layer protocol. The first of the following three sections describes the uses of cryptography. The next section looks in more detail at two particular types of cryptography— secret key cryptography and public key cryptography. As the names imply, keys are an important part of both types, and this chapter concludes by discussing the management of these keys. Key management plays a critical role in the operation of SSL . As the following text implies, cryptography relies heavily on a mathematical foundation. But understanding the mathematics of cryptography is not essential for understanding SSL . For that reason, this chapter contains very little mathematics. Readers who are interested in a more thorough understanding of cryptography are invited to consult the texts described in the References section of this book.
17
18
SSL & TLS Essentials: Securing the Web
2.1 Using Cryptography The word cryptography is derived from the Greek for “secret writing.” The task of keeping information secret is probably the one most often associated with cryptography. Indeed, protecting secret information is an important mission for cryptographers, but, as this section shows, cryptography has other uses as well. Two that are particularly important to SSL are proving identity and verifying information. Table 2- 1 summarizes the main topics of this section. Table 2-1 Important Uses of Cryptography Use
Service
Protects Against
Keeping secrets
Confidentiality
Eavesdropping
Proving identity
Authentication
Forgery and masquerade
Verifying information
Message integrity
Alteration
2.1.1 Keeping Secrets To continue with a convention that has become almost universal in cryptography texts, consider the dilemma facing Alice and Bob in figure 2- 1. Alice needs to send Bob some important information. The Charles
Alice
Bob
Figure 2-1 Cryptography can protect information from eavesdroppers.
Basic Cryptography
19
information is extremely confidential, and it is important that no one other than Bob receive it. If, as in this example, the only way that Alice can communicate with Bob is by postcard, how can she send him the information without exposing it to mail carriers, snooping neighbors, or anyone else that happens to see the vital postcard? Cryptography gives Alice and Bob the means to protect their exchange. Before sending the postcard, Alice uses a secret code, or cipher, that only she and Bob understand. The cipher scrambles the information, rendering it unintelligible to parties such as Charles that do not know the secret code. Bob, however, knows the secret code and can decipher the necessary information.
2.1.2 Proving Identity Now consider the situation in figure 2- 2. Bob receives a postcard with important information, purportedly from Alice. But how does he know that the postcard really came from Alice? Might Charles have forged the card to make it appear as if from Alice? Again, cryptography provides a solution. Charles
Bob
Alice
Figure 2-2 Cryptography can help verify a sender’s identity.
20
SSL & TLS Essentials: Securing the Web
Through the use of cryptography, Alice can attach special information, such as a secret phrase, to the postcard. This secret phrase is information that only she and Bob know. Since Charles does not know the secret phrase, he will not be able to attach it to any forgery. Now all Bob has to do is look for the secret phrase. If it is present, then the postcard is genuine; if it is absent, he should be suspicious.
2.1.3 Verifying Information Proving identity is one thing, but suppose Charles is able to intercept a genuine message to Bob from Alice. Charles could then modify the message and forward the altered message on to Bob, as in figure 2- 3. Charles’s changes might alter the meaning of the message significantly, yet not destroy the secret phrase that “proves” Alice was the sender. To protect against this kind of behavior, there must be a way to not only verify the identity of the message source, but also to ensure that the message contents have not been altered in any way. Again, cryptography offers a solution. To validate the information on her postcard, Alice can use a special type of cryptographic function known as a hash function. A hash function creates a special mathematical summary of information. If the information is modified and the hash function recalculated, a different summary will result. To prevent Charles from successfully tampering with her postcard, Alice calculates the hash function for the information on the card, plus a secret value only she and Bob
Charles
Alice
Bob
Figure 2-3 Cryptography can ensure information has not been altered.
Basic Cryptography
21
know. She then adds the resulting summary to the postcard. W hen Bob receives the card, he can also calculate the hash function. If his summary matches that on the card, the information is valid. Cryptographic hash functions resemble checksums or cyclic redundancy check (CRC) codes that are common error detection mechanisms for traditional communication protocols. There is an important difference, though. Checksums and CRC codes are designed to detect accidental alterations, such as might occur on an unreliable transmission medium. Cryptographic hashes, on the other hand, are optimized to detect deliberate alterations. Because they assume the malicious attacker has full knowledge of the algorithm, and can thus exploit any weakness, effective hash functions are considerably harder to devise than standard error detection algorithms. Two particular hash functions are essential to SSL implementations. The first is Message Digest 5 (M D m), devised by Ron Rivest. The other important hash function is the Secure H ash Algorithm (SH A ), proposed by the U S. National Institute of Science and Technology. Both will make their appearance in chapters 4 and 5 when we look at the details of the SSL and T LS specifications.
2.2 Types of Cryptography As even the preceding brief introduction makes clear, one essential element of cryptography is the use of secret codes that are shared only by the communicating parties. W hether it’s keeping secrets, proving identity, or verifying information, Alice and Bob must know some secret information that Charles does not. Cryptographers call that information a key. Cryptographic techniques fall into two classifications, depending on the type of keys they use: secret key cryptography and public key cryptography. The following subsections describe each separately, then discuss how practical implementations often use a combination of the two approaches.
22
SSL & TLS Essentials: Securing the Web
2.2.1 Secret Key Cryptography W ith secret key cryptography, both parties know the same information—the key—and both endeavor to keep that key secret from everyone else. This is how most people think of cryptography in general, and, for nearly all of the several-thousand-year history of secret codes, it was the only form of cryptography known. The critical aspect of secret key cryptography is that both parties know the same secret information. For this reason, it has the technical name symmetric encryption. Encryption algorithms, or ciphers, based on secret key techniques are usually just mathematical transformations on the data to be encrypted, combined with the secret key itself. The approach resembles a carnival shell game, with the secret key serving as the initial location of the pea. Bits are swapped around and combined with each other in very complicated ways, and yet the various transformations can readily be undone, provided one knows the key. As a hint of the complexities involved, Figure 2- 4 illustrates one of the more common encryption algorithms. The figure also introduces two common cryptographic terms—plaintext, information before encryption, and ciphertext, information in its encrypted form. Plaintext is vulnerable to attackers; ciphertext, at least in theory, is not. An important quality that determines the effectiveness of a cipher is the size of the secret key. The larger the key, the more difficult it is to break the code. To understand why this is the case, consider an algorithm with an extremely small key size: 2 bits. In this example, the algorithm itself really wouldn’t matter. After all, with 2 bits there are only four possible keys. An attacker who obtained encrypted data could simply try all four possibilities. Cryptographers also characterize symmetric encryption algorithms according to how they process input data. Ciphers may be either stream ciphers or block ciphers. Stream ciphers process input data a byte at a time, and can accept any size of input for encryption. Block ciphers, in contrast, operate only on fixed-sized blocks of data— typically 8 bytes in size. Block ciphers are require less computation resources, and they are generally slightly less vulnerable to attack
Basic Cryptography
23
Data to Protect
plaintext
initial permutation
L0
R0 K1
+
f
L1 = R0
R1 = L0 + f(R0 ,K1 ) K2
+
f
L2 = R1
Secret Key
R2 = L1 + f(R1 ,K2 )
[repeated 12 more times] K15 +
f
L15 = R14
R15 = L14 + f(R14 ,K15 ) K16
+
f
R16 = L15 + f(R15 ,K16 )
L15 = R15
inverse permutation
ciphertext
Hidden Data
Figure 2-4 The DES cipher hides data by scrambling it with a secret key.
(and, thus, are by far the more common type). They are, however, slightly less convenient to use. The input data itself is the source of the inconvenience; it is rarely the same size as the cipher’s block. Encrypting data using a block cipher requires breaking the data into blocks, and, if the last block doesn’t contain exactly the right amount of data, adding dummy data, known as padding, to fill it out. Block ciphers also usually require an initialization vector of dummy data to begin the encryption process. The initialization vector primes
24
SSL & TLS Essentials: Securing the Web
the algorithm with irrelevant information, enabling the cipher to build up to full strength before the actual plaintext appears. Table 2- 2 lists the symmetric ciphers most commonly used with the Secure Sockets Layer protocol. Table 2-2 Symmetric Encryption Algorithms Abbreviation
Algorithm
Type
DES
Data Encryption Standard
Block
3DES
Triple-Strength Data Encryption Standard
Block
RC2
Rivest Cipher 2
Block
RC4
Rivest Cipher 4
Stream
2.2.2 Public Key Cryptography Most of the difficulties with traditional secret key cryptography are caused by the keys themselves. Both Alice and Bob need to have the same secret key, but under no circumstances should Charles have this key as well. That implies that before Alice and Bob can communicate information securely, they must be able to communicate the secret key securely. The problem mimics the classic chicken-or-egg dilemma. After all, if there’s a secure way for Alice and Bob to communicate the secret key, why can’t they use that same method to communicate the information, and dispense with the complexities of cryptography altogether? (In some situations, such as cloak-anddagger spying, the two parties can agree on the key beforehand, while they’re physically together; for obvious reasons, this approach isn’t practical for situations in which the parties never meet face-to-face, such as Web-based commerce.) A relatively new development in cryptography has eliminated the key distribution impasse and has made technology such as SSL and ecommerce possible. That development is public key cryptography. Public key cryptography or, more technically, asymmetric encryption, actually has each of the two parties use separate keys—one for encryption and a different one for decryption. The critical aspect of public key cryptography is that only one of these two keys needs to be kept secret. The other key, the public key, need not be secret at all.
Basic Cryptography
25
Although it seems a bit like magic, this has a solid mathematical basis. Fundamentally, asymmetric encryption is based on mathematical problems that are mush easier to generate than they are to solve. As an example, anyone with a pocket calculator can compute the product of 113 and 293 and get the correct answer of 33 109. It is much more difficult, however, to use the same pocket calculator to work a similar problem in reverse. W hich two whole numbers, when multi1 plied together, yield the product 29 213? Figure 2- 5 shows how public key encryption can work. W hen Bob wants Alice to send him information securely, he generates two keys.
1 Create keys.
2 3 Publish public key.
Encipher with public key.
5 4 Decipher with private key.
Send encrypted message.
Alice
Bob
Figure 2-5 Public key cryptography uses published keys to encrypt data. _________________ 1 The answer, for the insatiably curious, is 131 and 223.
26
SSL & TLS Essentials: Securing the Web
One is the private key, which Bob keeps completely to himself. Conversely, Bob advertises the public key, conceptually even by publishing it in a newspaper. Alice reads the newspaper to find out the public key, then uses it to encrypt the information. W hen Bob receives Alice’s postcard, his private key enables him to decipher the message. Since only Bob has his private key, only Bob can successfully decrypt the information. Even Alice would be unable to do so. Some public key encryption algorithms, notably the Rivest Shamir Adleman (RSA ) algorithm commonly used with SSL , also work in reverse. Information encrypted with a private key can be decrypted with the corresponding public key. This feature has several powerful applications, most importantly for SSLs as a way to prove identity. Imagine, as in figure 2- 6, that Bob encrypts some well-known information using his private key and sends the resulting ciphertext to Alice. Alice can use Bob’s public key to decipher the information. She then compares the result with the well-known information she was expecting. If there is a match, then Alice is assured that the information was encrypted with Bob’s private key. Only that key would have yielded the successful decryption. And, since Bob is the only person who knows his private key, Alice is further assured that Bob was the
1 Encipher with private key.
3
2
Decipher with public key.
Publish public key.
Alice
Bob
Figure 2-6 Public key ciphers verify identity using published keys.
Basic Cryptography
27
one who sent the information. Through this approach, Bob has proven his identity to Alice. Reversible public key algorithms such as RSA can also provide another important service: the digital equivalent of a signature. Suppose that Bob needs information from Alice. And further suppose that it is important that Alice not be able to later deny sending him the information, either to Bob or to an independent third party (such as a judge). In effect, Bob needs Alice to sign the information. To accomplish this, Alice can encrypt the information with her private key. Since anyone can obtain her public key, anyone can decipher the information. Only Alice, however, knows her private key, so only Alice could have encrypted the information in the first place. Some public key algorithms can only be used for digital signatures; they cannot provide encryption services. One such algorithm important to SSL is the Digital Signature Algorithm (D SA ).
2.2.3 Combining Secret and Public Key Cryptography Public key encryption is a powerful tool, but in most practical implementations it suffers from one serious disadvantage—the encryption operation is extremely complex. Complex mathematical operations can place a strain on some systems, requiring more processing capacity than the systems would otherwise need. If there were no alternatives, then most implementations requiring security might accept the higher system cost; fortunately, there is a relatively simple way to get the benefits of public key encryption while avoiding most of the system performance costs. The optimum approach uses a combination of secret key and public key cryptography. Figure 2- 7 shows how this combination can work in practice. To begin, Bob creates a public and private key, and then he publicizes the public key. H e does not share the private key with anyone. Alice, who wishes to send confidential data to Bob, retrieves his public key. She also generates a collection of random numbers. Once Alice has Bob’s public key, she encrypts those random numbers and sends them to Bob. Since only Bob has his private key, only Bob can decipher Alice’s message and extract the random numbers.
28
SSL & TLS Essentials: Securing the Web
1
2
Publish public key.
Generate random numbers for secret keys.
4
3
Decipher secret keys with private key.
Encrypt secret keys with Bob's public key.
5
5
Encipher and decipher data with secret keys.
Encipher and decipher data with secret keys.
Alice
Bob
Figure 2-7 Effective security combines secret and public key techniques.
Once Alice and Bob have successfully exchanged the random numbers, they no longer need public key encryption. Instead, they can use the random numbers as secret keys for standard symmetric encryption. Alice and Bob can communicate securely as long as they wish. And since symmetric encryption does not need nearly as much processing power as asymmetric encryption, the encryption comes at a much lower cost. There is an important variation to this process that relies on a different type of public key algorithm. The special type of algorithm is known as a key exchange algorithm, and the most famous example is the Diffie-H ellman algorithm. Diffie-H ellman is usually thought of as a public key algorithm, even though it cannot be used for encryp-
Basic Cryptography
29
tion or for digital signatures. Rather, Diffie-H ellman allows two parties to securely establish a secret number using only public messages. Diffie-H ellman is an alternative to steps 1–4 of figure 2- 7. One final note on figure 2- 7: As the next chapter details, this is actually a simplified view of basic SSL operation. Figure 3- 1 shows a different version of the same process.
2.3 Key Management Key management is a challenge to all forms of cryptography. Public key cryptography improves the situation; at least the keys that the parties exchange do not have to be kept secret from the rest of the world. Still, the public key must be exchanged reliably. In the previous examples, Alice has hypothetically retrieved Bob’s public keys from the newspaper. Suppose, however, that the nefarious Charles was able to print a phony newspaper (with a phony public key for Bob) and sneak it into Alice’s driveway in the morning in place of her real paper. H ow would Alice know of the fraud? It is exactly this problem that has led to the creation of public key certificates and certificate authorities. Although unnoticed by most casual Internet users, these are critical to the Secure Sockets Layer protocol and Web commerce.
2.3.1 Public Key Certificates In many ways, public key certificates are the digital equivalent of a driver’s license. Although certificates may belong to computer systems instead of individuals, they share three important characteristics with driver’s licenses. First, they each identify their subjects by including the subjects’ names. Second, they assert key information about the subject. A driver’s license declares that the subject has certain privileges (i.e., driving a car), while a certificate affirms the subject’s public key (and perhaps other privileges). Finally, both a certificate and a driver’s license are issued by a trusted organization, either a governmental agency or a certificate authority.
30
SSL & TLS Essentials: Securing the Web
Figure 2- 8 shows the contents of a typical public key certificate. Appendix A discusses this particular certificate format in detail, but only a few of the fields are truly important. The first of those is the issuer field, which identifies the organization that has issued the certificate. This information is critical to a person or computer system that examines a certificate because it determines whether the certificate can be trusted. The next important field is the period of validity. Like driver’s licenses, certificates expire after a certain time. The next field identifies the subject of the certificate, and it is followed by the subject’s public key. The final field of the certificate is also important. That field is the issuer’s signature, which is a digital signature of the contents of the certificate. The issuer creates this signature by encrypting a hash of the certificate with its private key. Any system that knows the issuer’s public key can verify the signature and ensure the validity of the certificate. Since this field can be a bit confusing, it is worthwhile to emphasize that the issuer creates the signature using its own private key, while the certificate itself contains the subject’s public key.
Version Serial Number Algorithm Identifier Issuer Period of Validity Subject Subject's Public Key Issuer Unique ID Subject Unique ID Extensions Signature
Figure 2-8 A public key certificate validates a subject’s public key.
Basic Cryptography
31
2.3.2 Certificate Authorities The issuer of a public key certificate is traditionally known as a certificate authority (CA ), and certificate authorities play a vital role in establishing trust among a community of users. As the previous subsection indicates, the certificate authority digitally signs all certificates, attesting to the validity of the public keys they contain. If users trust the certificate authority, they can trust any certificate that CA issues. In many cases, a certificate authority can be identified as either a private or a public CA . Private authorities include organizations that issue certificates strictly for their own users. A corporation, for example, may issue public key certificates for its employees. (Actually, they would issue the certificates for the employees’ computers.) The company could then set up its internal network to require appropriate certificates before granting access to critical data. Although systems within the company’s computer network could trust the company’s certificates, outside systems, including, for example, public Web servers, would be unlikely to do so. A private certificate authority issues certificates for use on its own private networks. But the Internet is a public network, and Web security generally relies on public certificate authorities. A public certificate authority issues certificates to the general public, and it can certify the identity of both individuals and organizations. Public authorities act as the digital equivalent of notary publics, certifying the identity of any party that presents appropriate credentials. For a company that wishes to establish a secure Web site, those credentials may include a D un & Bradstreet D dU dN dS number, a business license, articles of incorporation, or SEC filings that establish the company’s corporate identity. Certificate authorities are themselves frequently identified by their certificates, but their certificates differ from standard certificates in one important respect: the subject and the issuer are one and the same. The certificate authority certifies its own identity. Figure 2- 9 highlights the fact that the public key in a CA certificate is also the public key that verifies the certificate’s signature. This is a critical
32
SSL & TLS Essentials: Securing the Web
Version Serial Number Algorithm Identifier Issuer Period of Validity
Issuer and Subject are the same.
Subject Subject's Public Key Issuer Unique ID Subject Unique ID Extensions
Subject's Public Key verifies the certificate's Signature.
Signature
Figure 2-9 CA certificates have the same issuer and subject.
distinction from normal certificates. Any party that receives a normal certificate can check the certificate’s signature to decide whether to trust the public key in that certificate. As long as the certificate’s signature is valid and the issuer is trustworthy, then the receiving party can safely trust the public key. W ith a CA certificate, on the other hand, verifying the certificate’s signature does not help to establish trust. Any party that could forge a CA certificate would know the forged private key, and could thus easily generate the matching certificate signature. The validity of CA certificates must be established by other methods. In the case of Web commerce security, the validity of certificate authorities depends largely on the browser manufacturers. Both Microsoft’s Internet Explorer and Netscape’s Navigator by default recognize the certificates from important public certificate authorities. Figure 2- 10 shows some of the certificate authorities Netscape recognizes. (The full list, as of this writing, includes more than 50 authorities.) Although both Netscape and Microsoft allow users to install additional certificate authorities into their browsers, most secure Web sites elect to use a certificate that doesn’t require this extra effort from their users.
Basic Cryptography
33
Figure 2-10 Netscape Navigator recognizes many certificate authorities.
2.3.3 Certificate Hierarchies Sometimes, it becomes difficult for a certificate authority to effectively track all the parties whose identities it certifies. Especially as the number of certificates grows, a single authority may become an unacceptable bottleneck in the certification process. Fortunately, public key certificates support the concept of certificate hierarchies, which alleviate the scalability problems of a single, monolithic authority. W ith a hierarchy in place, a certificate authority does not have to certify all identities itself. Instead, it designates one or more subsidiary authorities. These authorities may, in turn, designate their own subsidiaries, the hierarchy continuing until an authority actually certifies end users. Figure 2- 11 illustrates a simple three-level hierarchy, one that might occur within a large corporation. As the figure shows, the ACM E Corporation has a master certificate authority and two subordinate authorities, one for H uman Resources and another for Research and Development. The subordinate authorities are responsible for entities within their domains.
34
SSL & TLS Essentials: Securing the Web
Issuer: ACME Corp. Subject: ACME Corp.
Issuer: ACME Corp.
Issuer: ACME Corp.
Subject: HR Dept.
Subject: R&D Dept.
Issuer: HR Dept.
Issuer: HR Dept.
Issuer: R&D Dept.
Issuer: R&D Dept.
Subject: Intranet
Subject: Benefits
Subject: Software
Subject: Documents
Figure 2-11 Certificate hierarchies divide responsibility for certificates.
A particularly powerful feature of certificate hierarchies is that they do not require that all parties automatically trust all the certificate authorities. Indeed, the only authority whose trust must be established throughout the enterprise is the master certificate authority. Because of its position in the hierarchy, this authority is generally known as the root authority. To see this process in action, consider what happens when a client in the R rD department needs to verify the identity of the Benefits server. The server presents its certificate, issued (and signed) by the H R department’s authority. The R rD client does not trust the H R authority, however, so it asks to see that authority’s certificate. W hen the client receives the H R authority’s certificate, it can verify that the H R authority was certified by the corporation’s root CA . Since the R rD client does trust the root CA , it can trust the Benefits server.
Basic Cryptography
35
2.3.4 Certificate Revocation Lists Before leaving the subject of public key certificates, there is one loose end to tie up. So far, we’ve seen how certificate authorities issue certificates, but what about the reverse process? W hat happens if a CA issues a certificate by mistake and wants to correct itself? Or what if a subject accidentally reveals its private key, so its certified public key is no longer safe to use? To solve these types of problems, certificate authorities use certificate revocation lists. A certificate revocation list, or CR L for short, is a list of certificates that the authority has previously issued, but no longer considers valid. The certificates themselves still appear legitimate; their signatures are correct, and their validity periods are appropriate. Nonetheless, the CA needs to indicate that they can no longer be trusted. The authority cannot change the certificates since they’ve already been issued, so the best it can do is maintain a list of these revoked certificates. It is the responsibility of any party that trusts another’s certificate to check with the certificate authority to make sure the certificate has not been revoked. This function is not the responsibility of the SSL protocol, so we won’t discuss it in any depth. It is noteworthy to consider, though, that the current Web commerce infrastructure does not have an effective (and widely supported) means for systems to check a certificate against a CRL . For that reason, there is no practical way to revoke a traditional Web commerce certificate.
3 SSL Operation
W ith an understanding of some of the key concepts of cryptography, we can now look closely at the operation of the Secure Sockets Layer (SSL ) protocol. Although SSL is not an extremely complicated protocol, it does offer several options and variations. This chapter explains SSL by starting with the simplest case: establishing an encrypted communications channel. It then considers successively more complex options, including authenticating the communicating parties, separating encryption from authentication, and resuming a previously established session. W ithin these sections, you will discover the full power of SSL . The SSL protocol consists of a set of messages and rules about when to send (and not to send) each one. In this chapter, we consider what those messages are, the general information they contain, and how systems use the different messages in a communications session. We do not, however, explore the detailed message formats: the bits and bytes that make up SSL messages as they transit across a network. That detail is the subject of chapter 4. Neither do we spend time here on the detailed cryptographic computations SSL requires; those, too, are a topic for the next chapter. This chapter concentrates on the big picture. The details will be much easier to understand once you have an appreciation of the overall operation of the Secure Sockets Layer.
3.1 SSL Roles The Secure Sockets Layer protocol defines two different roles for the communicating parties. One system is always a client, while the other
37
38
SSL & TLS Essentials: Securing the Web
is a server. The distinction is very important, because SSL requires the two systems to behave very differently. The client is the system that initiates the secure communications; the server responds to the client’s request. In the most common use of SSL , secure Web browsing, the Web browser is the SSL client and the Web site is the SSL server. These same two roles apply to all applications that use SSL , and the examples in this chapter (indeed, throughout the book) will clearly distinguish them. For SSL itself, the most important distinctions between clients and servers are their actions during the negotiation of security parameters. Since the client initiates a communication, it has the responsibility of proposing a set of SSL options to use for the exchange. The server selects from the client’s proposed options, deciding what the two systems will actually use. Although the final decision rests with the server, the server can only choose from among those options that the client originally proposed.
3.2 SSL Messages W hen SSL clients and servers communicate, they do so by exchanging SSL messages. Technically, SSL defines different levels of messages, but that topic is best left for Chapter 4. Since this chapter concentrates strictly on functionality, distinguishing between the various SSL levels is not critical. Table 3- 1 lists the SSL messages at all levels of the protocol, in alphabetical order. The remaining sections in this chapter show how systems use these messages in their communications. Table 3-1 SSL Messages Message
Description
Alert
Informs the other party of a possible security breach or communication failure.
ApplicationData
Actual information that the two parties exchange, which is encrypted, authenticated, and/ or verified by SSL.
Certificate
A message that carries the sender’s public key certificate.
SSL Operation
39
Message
Description
CertificateRequest
A request by the server that the client provide its public key certificate.
CertificateVerify
A message from the client that verifies that it knows the private key corresponding to its public key certificate.
ChangeCipherSpec
An indication to begin using agreed-upon security services (such as encryption).
ClientHello
A message from the client indicating the security services it desires and is capable of supporting.
ClientKeyExchange
A message from the client carrying cryptographic keys for the communications.
Finished
An indication that all initial negotiations are complete and secure communications have been established.
HelloRequest
A request by the server that the client start (or restart) the SSL negotiation process.
ServerHello
A message from the server indicating the security services that will be used for the communications.
ServerHelloDone
An indication from the server that it has completed all its requests of the client for establishing communications.
ServerKeyExchange
A message from the server carrying cryptographic keys for the communications.
3.3 Establishing Encrypted Communications The most basic function that an SSL client and server can perform is establishing a channel for encrypted communications. Figure 3- 1 shows the SSL message exchange this operation requires, and table 3- 2 summarizes the steps in the figure. This section looks at these steps in more detail by considering each message in the exchange.
40
SSL & TLS Essentials: Securing the Web
Client 1
Server ClientHello
5
ClientKeyExchange
6
ChangeCipherSpec
7
Finished
ServerHello
2
ServerKeyExchange
3
ServerHelloDone
4
ChangeCipherSpec
8
Finished
9
Figure 3-1 SSL uses 9 messages to establish encrypted communications.
Table 3-2 Negotiation of Encrypted Communications Step
Action
1
Client sends ClientHello message proposing
SSL options.
2
Server responds with ServerHello message selecting the SSL options.
3
Server sends its public key information in ServerKeyExchange message.
4
Server concludes its part of the negotiation with ServerHelloDone message.
5
Client sends session key information (encrypted with server’s public key) in ClientKeyExchange message.
6
Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
SSL Operation
41
Step
Action
7
Client sends Finished message to let the server check the newly activated options.
8
Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
9
Server sends Finished message to let the client check the newly activated options.
3.3.1 ClientHello The ClientHello message starts the SSL communication between the two parties. The client uses this message to ask the server to begin negotiating security services by using SSL . Table 3- 3 lists the important components of a ClientH ello message. Table 3-3 ClientHello Components
SSL vs. TLS The TLS protocol uses a version value of 3.1 instead of 3.0.
Field
Use
Version
Identifies the highest version of the SSL protocol that the client can support.
RandomNumber
A 32-byte random number used to seed the cryptographic calculations.
SessionID
Identifies a specific SSL session.
CipherSuites
A list of cryptographic parameters that the client can support.
CompressionMethods
Identifies data compression methods that the client can support.
The Version field of the ClientH ello message contains the highest version number of SSL that the client can support. The current SSL version is 3.0, and it is by far the most widely deployed on the Internet. (But see the sidebar for information on T LS.) Note that a server may assume that the client can support all SSL versions up to and including the value of this field. If, for example, a client sends a version 3.0 ClientH ello to a server that only supports version 2.0 of SSL , the server may respond with version 2.0 messages that it expects the client to understand. In such cases, that client can decide to continue with the SSL session using version 2.0 functionality, or it can abandon
42
SSL & TLS Essentials: Securing the Web
the communication attempt. Section 5.1 includes additional information about compatibility with previous versions. The R andomNumber field, as you might expect, contains a random number. This random value, along with a similar random value that the server creates, provides the seed for critical cryptographic calculations. Chapter 4 has the details. The SSL specification suggests that four of this field’s 32 bytes consist of the time and date. The SSL protocol does not require a particular level of accuracy for this value, as it is not intended to provide an accurate time indication. Instead, the specification suggests using the date and time as a way to ensure that the client never uses the same random value twice. This precaution protects against an impostor copying old SSL messages from a legitimate client and reusing them to establish a counterfeit session. The remaining 28 bytes of this value should be a “cryptographically secure” random number. Security is not something we ordinarily associate with randomness, but it is important in this case. Most computer programs use a technique known as pseudorandom number generation to create random numbers. W hen used correctly, this approach does yield numbers that have the appearance of randomness. H owever, the technique does have a serious flaw when used in a security context: if an attacker knows the exact algorithm and one random value, that attacker can correctly predict all future random values. This knowledge might allow the attacker to anticipate a particular future value and prepare an attack against it. To prevent this type of attack, SSL implementations should use a different technique for generating random numbers; typically, they use one based on cryptographic algorithms. The next field in the ClientH ello message is SessionID. Although all ClientH ello messages may include this field, in this example, the field is meaningless and would be empty. Section 3.8 presents an example of how the SessionID field may be used. The CipherSuites field allows a client to list the various cryptographic services that the client can support, including exact algorithms and key sizes. The server actually makes the final decision as to which cryptographic services will be used for the communication, but it is
SSL Operation
43
limited to choosing from this list. Chapter 4 describes the format of this field in detail, including the various algorithms and key size options that SSL defines. The CompressionM ethods field is, in theory, similar to the CipherSuites field. In it, the client may list all of the various data compression methods that it can support. Compression methods are an important part of SSL because encryption has significant consequences on the effectiveness of any data compression techniques. Encryption changes the mathematical properties of information in a way that makes data compression virtually impossible. In fact, if it were possible to compress encrypted data, that would likely indicate a security weakness in the encryption algorithm. For this reason, if two parties are going to employ data compression for a communication, it is important that they compress their data before encrypting it. The SSL protocol accommodates this behavior by including the capacity for data compression, and by making sure that the compression occurs before encryption. In the current version of SSL , however, no actual compression methods have been defined. This field, therefore, currently is of limited use. In the future, additional compression methods may be defined and added to the T LS (but not SSL ) specifications.
3.3.2 ServerHello W hen the server receives the ClientH ello message, it responds with a ServerHello. As table 3- 4 shows, the contents of a ServerH ello are much the same as a ClientH ello. There are a few important differences, though, which we’ll examine in this subsection. In general, where the client makes suggestions in its ClientH ello message, the server makes the final decision in its ServerH ello. Table 3-4 ServerHello Components Field
Use
Version
Identifies the version of the SSL protocol to be used for this communication.
RandomNumber
A 32-byte random number used to seed the cryptographic calculations.
44
SSL & TLS Essentials: Securing the Web
Field
Use
SessionID
Identifies the specific SSL session.
CipherSuite
The cryptographic parameters to be used for this communication.
CompressionMethod
The data compression method to be used for this communication.
The Version field is the first example of a server making a final decision for the communications. The ClientH ello’s version simply identifies which SSL versions the client can support. The ServerH ello’s version, on the other hand, determines the SSL version that the communication will use. A server is not completely free to choose any SSL version, however; it cannot pick a version newer than the latest that the client can support. If the client does not like the server’s choice, it may abandon the communication. As of this writing, nearly all SSL clients and servers support version 3.0 of the SSL protocol. The R andomNumber field of the ServerH ello is essentially the same as in the ClientH ello, though this random value is chosen by the server. Along with the client’s value, this number seeds important cryptographic calculations. The server’s value does share the same properties as in the ClientH ello. Four of the 32 bytes are the date and time (to avoid repeating random values); the remaining bytes should be created by a cryptographically secure random number generator. The SessionID field of a ServerH ello may contain a value, unlike the ClientH ello’s field just discussed. The value in this case uniquely identifies this particular SSL communication, or session. The main reason for explicitly identifying a particular SSL session is to refer to it again later. Section 3.8 shows an example of how a client can use this facility to speed up the SSL negotiation process. If the server does not intend the session to ever be reused, it can omit the SessionID field from its ServerH ello message. The CipherSuite field (note that the name is singular, not plural, as in the case of a ClientH ello) determines the exact cryptographic parameters, specifically algorithms and key sizes, to be used for the session. The server must select a single cipher suite from among those listed by the client in its ClientH ello message.
SSL vs. TLS The TLS protocol uses a version value of 3.1 instead of 3.0.
SSL Operation
45
The CompressionM ethod field is also singular for a ServerH ello. In theory, the server uses this field to identify the data compression to be used for the session. Again, the server must pick from among those listed in the ClientH ello. Current SSL versions have not defined any compression methods, however, so this field has no practical utility.
3.3.3 ServerKeyExchange In this example, the server follows its ServerH ello message with a ServerKeyExchange message. This message complements the CipherSuite field of the ServerH ello. W hile the CipherSuite field indicates the cryptographic algorithms and key sizes, this message contains the public key information itself. The exact format of the key information depends on the particular public key algorithm used. For the RSA algorithm, for example, the server includes the modulus and public exponent of the server’s RSA public key. Note that the ServerKeyExchange message is transmitted without encryption, so that only public key information can be safely included within it. The client will use the server’s public key to encrypt a session key, which the parties will use to actually encrypt the application data for the session.
3.3.4 ServerHelloDone The ServerHelloDone message tells the client that the server has finished with its initial negotiation messages. The message itself contains no other information, but it is important to the client, because once the client receives a ServerH elloDone, it can move to the next phase of establishing the secure communications.
3.3.5 ClientKeyExchange W hen the server has finished its part of the initial SSL negotiation, the client responds with a ClientKeyExchange message. Just as the ServerKeyExchange provides the key information for the server, the ClientKeyExchange tells the server the client’s key information. In
46
SSL & TLS Essentials: Securing the Web
this case, however, the key information is for the symmetric encryption algorithm both parties will use for the session. Furthermore, the information in the client’s message is encrypted using the public key of the server. This encryption protects the key information as it traverses the network, and it allows the client to verify that the server truly possesses the private key corresponding to its public key. O therwise, the server won’t be able to decrypt this message. This operation is an important protection against an attacker that intercepts messages from a legitimate server and pretends to be that server by forwarding the messages to an unsuspecting client. Since a fake server won’t know the real server’s private key, it won’t be able to decrypt the ClientKeyExchange message. W ithout the information in that message, communication between the two parties cannot succeed.
3.3.6 ChangeCipherSpec After the client sends key information in a ClientKeyExchange message, the preliminary SSL negotiation is complete. At that point, the parties are ready to begin using the security services they have negotiated. The SSL protocol defines a special message— ChangeCipherSpec—to explicitly indicate that the security services should now be invoked. Since the transition to secured communication is critical, and both parties have to get it exactly right, the SSL specification is very precise in describing the process. First, it identifies the set of information that defines security services. That information includes a specific symmetric encryption algorithm, a specific message integrity algorithm, and specific key material for those algorithms. The SSL specification also recognizes that some of that information (in particular, the key material) will be different for each direction of communication. In other words, one set of keys will secure data the client sends to the server, and a different set of keys will secure data the server sends to the client. (In principle, the actual algorithms could differ as well, but SSL does not define a way to negotiate such an option.) For any given system, whether it is a client or a server, SSL defines a write state and a read state. The write state defines the security information
SSL Operation
47
for data that the system sends, and the read state defines the security information for data that the system receives. The ChangeCipherSpec message serves as the cue for a system to begin using its security information. Before a client or server sends a ChangeCipherSpec message, it must know the complete security information it is about to activate. As soon as the system sends this message, it activates its write state. Similarly, as soon as a system re-
Client Write
1
Read
Act
Pnd
Act
Pnd
Encr
null
?
null
?
MAC
null
?
null
?
key
null
?
null
?
Pnd
Act
Write Act
ServerHello
2
ServerKeyExchange
3
ServerHelloDone
4
Read Pnd
Encr
null
DES
null
DES
MAC
null
MD5
null
MD5
key
null
?
null
?
Pnd
Act
Write Act
ClientHello
Read
Encr
null
DES
null
DES
MAC
null
MD5
null
MD5
key
null
xxx
null
xxx
Write
Read
Act
Pnd
Act
ClientKeyExchange
6
ChangeCipherSpec
7
Finished
Pnd
Encr
DES
?
null
DES
MAC
MD5
?
null
MD5
key
xxx
?
null
xxx
Act
Pnd
Act
Pnd
Write
5
Pnd
Read
Encr
DES
?
DES
?
MAC
MD5
?
MD5
?
key
xxx
?
xxx
?
ChangeCipherSpec
8
Finished
9
Figure 3-2 Clients build pending cipher suites while using active ones.
48
SSL & TLS Essentials: Securing the Web
ceives a ChangeCipherSpec from its peer, the system activates its read state. Figures 3- 2 and 3- 3 illustrate this process in more detail. The first shows how the client views the process, while the second takes the server’s perspective. In both figures, the matrices on the side show the systems’ read and write states. The events shown in black (as opposed to gray) cause the systems to update their states. As the figures indicate, SSL actually defines two separate read and write states for each system. One of
Server
1
ClientHello
Write
ServerHello ServerKeyExchange ServerHelloDone
5
6 7
Pnd
Act
Pnd
Encr
null
?
null
?
MAC
null
?
null
?
key
null
?
null
?
Act
Pnd
Act
Encr
null
DES
null
DES
MAC
null
MD5
null
MD5
key
null
?
null
?
Act
Pnd
Act
Encr
null
DES
null
DES
MAC
null
MD5
null
MD5
key
null
xxx
null
xxx
2 3 4
Read
Act
Write
ClientKeyExchange
Read
Write
ChangeCipherSpec
Read
Write
Finished
ChangeCipherSpec Finished
Pnd
Read
Act
Pnd
Act
Encr
null
DES
null
DES
MAC
null
MD5
null
MD5
key
null
xxx
null
xxx
8 9
Pnd
Write
Pnd
Read
Act
Pnd
Act
Pnd
Encr
DES
?
DES
?
MAC
MD5
?
MD5
?
key
xxx
?
xxx
?
Figure 3-3 SSL servers also build pending cipher suites.
SSL Operation
49
the states is active and the second is pending. Both the client and the server, therefore, maintain a total of four different states: the active write state, the pending write state, the active read state, and the pending read state. (The figures use the abbreviations “Act” and “Pnd” for active and pending, respectively.) The figures also show the key elements of a state. They are the encryption algorithm (abbreviated “Encr”), the message integrity algorithm (abbreviated “M AC” for Message Authentication Code), and the key material. In figures 3- 2 and 3- 3, the systems agree to use the Data Encryption Standard (DE S) for symmetric encryption and Message Digest 5 (M D ) for message integrity. As the figures show, all systems start out in active states with no security services whatsoever. This initial condition is necessary for the systems to begin any communication; until they have negotiated security services and parameters, secure communication is not possible. As the systems exchange SSL messages, they begin building the pending state. First they agree on encryption and message integrity algorithms, then they exchange key information. Only then, when both the client and the server have full pending states, can the systems activate those pending states with ChangeCipherSpec messages. Table 3- 5 details the client processing that figure 3- 2 illustrates. It describes the steps in the figure that are shown in solid black; those are the steps that result in a change of the client’s states. Table 3-5 Client State Processing Step
Description
1
When the client initiates an SSL communication by sending a ClientHello message, it sets both of its active states to null (no security); initially, its pending states are unknown.
2
When the client receives a ServerHello message, it knows the algorithms that the server has selected for the session. It updates both of its pending states accordingly. Key information for the pending states is still unknown at this point.
5
Once the client has built and transmitted a ClientKeyExchange message, it knows the key material that will be used for the communication, so it updates the pending states.
50
SSL & TLS Essentials: Securing the Web
6
When the client sends a ChangeCipherSpec message, it moves its pending write state to the active write state and resets the pending state to unknown. No changes are made to the read states. From this point on, all data the client sends will use DES encryption and MD5 authentication as indicated by the now active write state.
8
When the client receives a ChangeCipherSpec, it updates the active read state with the pending values and resets the pending read state to unknown. From this point on, the client will expect received data to be secured with DES encryption and MD5 authentication.
Table 3- 6 outlines the processing that takes place in the server. It corresponds to figure 3- 3. Table 3-6 Server State Processing Step
Description
1
When the server first receives a ClientHello message, it sets both of its active states to null; its pending states are unknown.
2
When the server sends its ServerHello message, it knows the algorithms that will be used for the session, and it updates both of its pending states accordingly. Key information for the pending states is still unknown at this point.
5
Once the server has received a ClientKeyExchange message, it knows the key material that will be used for the communication, so it updates the pending states appropriately.
6
When the server receives a ChangeCipherSpec message, it moves its pending read state to the active read state and resets the pending state to unknown. No changes are made to the write states. From this point on, the server will expect received data to be secured with DES encryption and MD5 authentication.
8
When the server sends its own ChangeCipherSpec, it updates the active write state with the pending values and resets the pending state to unknown. From this point on, all data the server sends will use DES encryption and MD5 authentication as indicated by the now active write state.
Notice from the figures that one system’s active write state is the same as the other system’s active read state—with one exception. The exception occurs during the transmission of a ChangeCipherSpec
SSL Operation
51
message. As soon as one system sends this message, it updates its active states. The other system, however, does not change its active states until it receives the message. In the interim, the two systems are temporarily out of synchronization.
3.3.7 Finished Immediately after sending their ChangeCipherSpec messages, each system also sends a Finished message. The Finished messages allow both systems to verify that the negotiation has been successful and that security has not been compromised. Two aspects of the Finished message contribute to this security. First, as the previous subsection explained, the Finished message itself is subject to the negotiated cipher suite. That means that it is encrypted and authenticated according to that suite. If the receiving party cannot successfully decrypt and verify the message, then clearly something has gone awry with the security negotiation. The contents of the Finished message also serve to protect the security of the SSL negotiation. Each Finished message contains a cryptographic hash of important information about the just-finished negotiation. Table 3- 7 details the information that is secured by the hash. Notice that protected data includes the exact content of all handshake messages used in the exchange (though ChangeCipherSpec messages are not considered “handshake” messages in the strict sense of the word, and thus are not included). This protects against an attacker who manages to insert fictitious messages or remove legitimate messages from the communication. If an attacker were able to do so, the client’s and server’s hash calculations would not match, and they would detect the compromise. Chapter 4 describes the details of the hash calculation. Table 3-7 Information Authenticated by Finished Message
•
Key information
•
Contents of all previous SSL handshake messages exchanged by the systems
•
A special value indicating whether the sender is a client or server
52
SSL & TLS Essentials: Securing the Web
3.4 Ending Secure Communications Although as a practical matter it is rarely used (primarily due to the nature of Web sessions), SSL does have a defined procedure for ending a secure communication between two parties. As figure 3- 4 shows, the two systems each send a special ClosureAlert to the other. Explicitly closing a session protects against a truncation attack, in which an attacker is able to compromise security by prematurely terminating a communication. Imagine, for example, that an attacker was able to delete just the second phrase of the following sentence: “Please destroy all the documents, unless you hear from me tomorrow.” The ClosureAlert message helps systems detect such attacks. If a system received the message “Please destroy all documents” but did not receive a ClosureAlert, it would recognize that the complete message may not have arrived. As mentioned, it is not always possible to receive ClosureAlert messages reliably for Web transactions. Appendix B describes other steps Web servers and clients can take to protect against these truncation attacks.
3.5 Authenticating the Server’s Identity Although section 3.4 explained how SSL can establish encrypted communications between two parties, that may not really add that much security to the communication. W ith encryption alone neither
Client
Server ClosureAlert ClosureAlert
Figure 3-4 ClosureAlert messages indicate the end of a secure session.
SSL Operation
53
party can really be sure of the other’s identity. The typical reason for using encryption in the first place is to keep information secret from some third party. But if that third party were able to successfully masquerade as the intended recipient of the information, then encryption would serve no purpose. The data would be encrypted, but the attacker would have all the data necessary to decrypt it. To avoid this type of attack, SSL includes mechanisms that allow each party to authenticate the identity of the other. W ith these mechanisms, each party can be sure that the other is genuine, and not a masquerading attacker. In this section, we’ll look at how SSL enables a server to authenticate itself. A natural question is, of course, if authenticating identities is so important, why don’t we always authenticate both parties? The answer lies in the nature of Web commerce. W hen you want to purchase something using your Web browser, it’s very important that the Web site you’re browsing is authentic. You wouldn’t want to send your credit card number to some imposter posing as your favorite merchant. The merchant, on the other hand, has other means for authenticating your identity. Once it receives a credit card number, for example, it can validate that number. Since the server doesn’t need SSL to authenticate your identity, the SSL protocol allows for server authentication only. (The protocol does define a process for authenticating clients. Section 3.7. discusses that process.) Table 3- 8 summarizes the actions each system takes to authenticate a server. The same steps are shown graphically in figure 3- 5. The process isn’t all that different from simple encryption. (Compare figure 3- 5 with figure 3- 1.) The two messages in black are different when authenticating a server. Those messages, the Certificate message and the ClientKeyExchange message, are discussed next. All other messages are the same as described in section 3.3. Table 3-8 Authenticating a Server Step
Action
1
Client sends ClientHello message proposing SSL options.
2
Server responds with ServerHello selecting the SSL options.
54
SSL & TLS Essentials: Securing the Web
Step
Action
3
Server sends its public key certificate in Certificate message.
4
Server concludes its part of the negotiation with ServerHelloDone message.
5
Client sends session key information (encrypted with server ’s public key) in ClientKeyExchange message.
6
Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
7
Client sends Finished message to let the server check the newly activated options.
8
Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
9
Server sends Finished message to let the client check the newly activated options.
Client 1
Server ClientHello
5
ClientKeyExchange
6
ChangeCipherSpec
7
Finished
ServerHello
2
Certificate
3
ServerHelloDone
4
ChangeCipherSpec
8
Finished
9
Figure 3-5 Two SSL messages authenticate a server's identity.
SSL Operation
55
3.5.1 Certificate W hen authenticating its identity, the server sends a Certificate message instead of the ServerKeyExchange message section 3.3.3 described. The Certificate message simply contains a certificate chain that begins with the server’s public key certificate and ends with the certificate authority’s root certificate. The client has the responsibility to make sure it can trust the certificate it receives from the server. That responsibility includes verifying the certificate signatures, validity times, and revocation status. It also means ensuring that the certificate authority is one that the client trusts. Typically, clients make this determination by knowing the public key of trusted certificate authorities in advance, through some trusted means. Netscape and Microsoft, for example, preload their browser software with public keys for well-known certificate authorities. Web servers that want to rely on this trust mechanism can only obtain their certificates (at least indirectly) from one of these wellknown authorities. One additional detail in the certificate verification process can sometimes seem subtle, but is nonetheless crucial for real security: The client must ensure not only that the certificate is issued by a trusted authority, but that the certificate also unambiguously identifies the party with whom it wants to communicate. Consider, for example, a malicious company that receives a legitimate certificate from a trusted certificate authority under its own name, but then turns around and uses that certificate illegitimately to masquerade as a competitor. The unsuspecting client that communicates with this malicious company (believing that it is communicating with the competitor) will receive a legitimate certificate as part of the SSL exchange. The client, however, must be intelligent enough to detect that the certificate does not belong to the real competitor. For Web commerce, the key to solving this problem normally relies on the domain name of the server. Respected certificate authorities include the Internet domain name of the Web server in the certificates they issue. And Web browsers check the domain name in certificates they receive against the domain name their users attempt to contact. If,
56
SSL & TLS Essentials: Securing the Web
for example, a browser tries to connect to www.goodcompany.com and receives a certificate for www.badcompany.com, the browser knows something is amiss no matter how valid the certificate otherwise appears. Appendix B contains additional information on verifying certificates.
3.5.2 ClientKeyExchange The client’s ClientKeyExchange message also differs in server authentication, though the difference is not major. W hen encryption only is to be used, the client encrypts the information in the ClientKeyExchange using the public key the server provides in its ServerKeyExchange message. In this case, of course, the server is authenticating itself and, thus, has sent a Certificate message instead of a ServerKeyExchange. The client, therefore, encrypts its ClientKeyExchange information using the public key contained in the server’s certificate. This step is important because it allows the client to make sure that the party with whom it is communicating actually possesses the server’s private key. Only a system with the actual private key will be able to decrypt this message and successfully continue the communication.
3.6 Separating Encryption from Authentication The previous section explained how a server can send a Certificate message instead of a ServerKeyExchange message to authenticate itself. One consequence of this approach is that the same public key information used to verify the server’s identity is also used to encrypt key material in the client’s ClientKeyExchange message. This constraint is not always desirable; indeed, in some cases it is actually impossible to support. The impossible cases are easiest to describe. Some public key algorithms (such as the Digital Signature Algorithm) can only be used for signing. By their very design, they cannot be used for encryption. In such cases, it will be impossible for the client to encrypt its ClientKeyExchange information using the server’s public key.
SSL Operation
57
This limitation alone would be sufficient to require greater flexibility from the SSL protocol, but it is worthwhile to understand why combining signing and encryption might be undesirable, even when the public key algorithm supports both operations. The most common reason for separating encryption from signing is based not on technical considerations, but on legal ones. Some countries, including important producers of cryptographic products such as the United States (at least at the time of this writing), control the use or the export of products that include cryptography. In particular, the United States makes it more difficult for suppliers to export cryptographic products that use encryption key lengths greater than a certain minimum. (Key lengths less than or equal to these limits are said to
Client 1
Server ClientHello
6
ClientKeyExchange
7
ChangeCipherSpec
8
Finished
ServerHello
2
Certificate
3
ServerKeyExchange
4
ServerHelloDone
5
ChangeCipherSpec
9
Finished
10
Figure 3-6 Three SSL messages isolate authentication from encryption.
58
SSL & TLS Essentials: Securing the Web
be exportable.) In principle, at least, the United States does not impose the same restrictions on keys used for digital signatures. Systems that fall under U S. jurisdiction, therefore, may prefer to use the longest practical keys for authenticating their identity (thus providing the strongest practical authentication), but use encryption keys that conform to the weaker export restrictions. W hatever the reason, SSL does provide a mechanism for separating server authentication from the encryption. Table 3- 9 outlines the steps involved, and figure 3- 6 illustrates the entire process. The figure highlights the three messages that are significant for separating encryption and server authentication. They are the Certificate, ServerKeyExchange, and ClientKeyExchange messages.
Table 3-9 Separating Server Authentication from Encryption Step
Action
1
Client sends ClientHello message proposing
2
Server responds with ServerHello message selecting the SSL options.
SSL options.
3
Server sends its public key certificate in Certificate message.
4
Server sends the public key that the client should use to encrypt the symmetric key information in a ServerKeyExchange; this public key is signed with the public key in the server’s certificate.
5
Server concludes its part of the negotiation with ServerHelloDone message.
6
Client sends session key information (encrypted with the public key provided by the server) in a ClientKeyExchange message.
7
Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
8
Client sends Finished message to let the server check the newly activated options.
9
Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
10
Server sends Finished message to let the client check the newly activated options.
SSL Operation
59
3.6.1 Certificate The Certificate message in this example is identical to the example in section 3.5, except that the public key in the server’s certificate will only be used to verify its identity. The client still has all the responsibilities section 3.5.1 discussed, however. It must verify the certificate’s signatures, validity times, and revocation status, and it must ensure that the certificate authority is trusted, and that the certificate was issued to the party with whom it wishes to communicate.
3.6.2 ServerKeyExchange The server follows its Certificate message with a ServerKeyExchange message. It is this second message that contains the public key the client should use to encrypt session key information. The ServerKeyExchange is the same message that we saw when no authentication was involved, and the information contained in the message is the same as described in section 3.3.3—with one significant difference: Unlike the example of section 3.3, in which the server keys were sent by themselves, in this scenario, the key information is signed using the public key contained in the server’s certificate. This step is essential to give the client a way to verify that the server really does possess the private key corresponding to its public key certificate.
3.6.3 ClientKeyExchange The client uses a ClientKeyExchange message to finish the negotiation process, just as it does in other scenarios. As before, this message contains the key information for the symmetric encryption algorithm the two parties have selected. Also as before, this information is encrypted using the server’s public key. It is important to note that the public key used for this encryption is the public key from the ServerKeyExchange message, not the public key from the server’s Certificate message (even if that public key algorithm supports encryption).
60
SSL & TLS Essentials: Securing the Web
3.7 Authenticating the Client ’s Identity Since SSL includes mechanisms to authenticate a server’s identity, it is natural to expect that the protocol also defines a way to authenticate a client’s identity. Indeed, that is the case; the mechanism is very similar to that for server authentication. You can see the whole process in figure 3- 7, which highlights the messages that are significantly different from the message flows we’ve considered so far. Those messages are the CertificateRequest, the client’s Certificate message, and the CertificateVerify. Table 3- 10 highlights the role of those messages by summarizing the entire message flow. The rest of this section describes them in more detail. Table 3-10 Client Authentication Step
Action
1
Client sends ClientHello message proposing
SSL options.
2
Server responds with ServerHello selecting the SSL options.
3
Server sends its public key certificate in Certificate message.
4
Server sends a CertificateRequest message to indicate that it wants to authenticate the client.
5
Server concludes its part of the negotiation with ServerHelloDone message.
6
Client sends its public key certificate in a Certificate message.
7
Client sends session key information (encrypted with the server ’s public key) in a ClientKeyExchange message.
8
Client sends a CertificateVerify message, which signs importation information about the session using the client ’s private key; the server uses the public key from the client ’s certificate to verify the client ’s identity.
9
Client sends a ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
10
Client sends a Finished message to let the server check the newly activated options.
11
Server sends a ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
12
Server sends a Finished message to let the client check the newly activated options.
SSL Operation
61
3.7.1 CertificateRequest In any SSL exchange, the server determines whether client authentication is required. The client has no choice of its own; it simply complies with the server's wishes. If the server does require client authentication, it indicates that by sending a CertificateRequest message as part of its hello negotiation. As figure 3- 7 indicates, the server sends the CertificateRequest after its own Certificate message. Although not shown in the figure, the
Client 1
Server ClientHello
6
Certificate
7
ClientKeyExchange
8
CertificateVerify
9
ChangeCipherSpec
10
ServerHello
2
Certificate
3
CertificateRequest
4
ServerHelloDone
5
ChangeCipherSpec
11
Finished
12
Finished
Figure 3-7 Three SSL messages authenticate a client's identity.
62
SSL & TLS Essentials: Securing the Web
CertificateRequest would also follow any ServerKeyExchange message the server sends. Note, however, that the SSL specification forbids a server from sending a CertificateRequest if it is not also authenticating itself (by sending a Certificate message). This restriction ensures that the client will know the server’s identity before revealing its own. The CertificateRequest message contains two fields: a list of certificate types and a list of distinguished names, as table 3- 11 indicates. Table 3-11 CertificateRequest Components Field
Use
CertificateTypes
A list of certificate types acceptable to the server.
DistinguishedNames
A list of distinguished names of certificate authorities acceptable to the server.
The CertificateTypes field lists the various types of certificates (differentiated by the particular signature algorithm employed) that the server will accept. The certificate types are listed in order of decreasing preference. The DistinguishedNames field identifies the certificate authorities (denoted by their distinguished name; see appendix A ) that the server will accept. No preference is implied by the order in which the different authorities appear in this list.
3.7.2 Certificate A client normally responds to the certificate request by sending its own Certificate message immediately after receiving the ServerH elloDone. The format of the client’s Certificate message is identical to the server’s Certificate message that section 3.5.1 discussed; both contain a certificate chain beginning with the local system’s certificate and ending with the certificate authority’s root certificate. If a client does not possess a certificate that meets the server’s criteria (or if it has no certificate at all), it responds with a NoCertificateAlert. The server can choose to ignore this alert and continue with the communication (though it will be unable to verify the client’s identity), or it can terminate the session at that point.
SSL Operation
63
Note that SSL only uses the client’s public key for digital signatures. Unlike for the server’s public key, there is no protocol function that uses the client’s public key for encryption. There is no need, therefore, to explicitly separate client authentication from encryption, so SSL has no client equivalent for the ServerKeyExchange message. (The ClientKeyExchange, as we’ve seen, transfers symmetric key information, not public key information.)
3.7.3 CertificateVerify Simply sending a client Certificate message does not complete the process of authenticating the client’s identity. The client must also prove that it possesses the private key corresponding to the certificate’s public key. For its proof, the client uses a CertificateVerify message. This message contains a digitally signed cryptographic hash of information available to both the client and the server. Specifically, the client signs a hash of the information table 3- 12 lists. The server also has this information, and it will receive (in the Certificate message) the client’s public key. The server can then verify the signature and make sure that the client possesses the appropriate private key. Table 3-12 Information Authenticated by CertificateVerify Message
•
Key information.
•
Contents of all previous SSL handshake messages exchanged by the systems.
From looking at figure 3- 7, you might wonder why the CertificateVerify message doesn’t immediately follow the Certificate message. Instead of this seemingly natural order, SSL has the client send a ClientKeyExchange message between the two. The reason for this message order is based on the cryptographic contents of the messages. The CertificateVerify message relies on cryptographic values that are computed and transferred to the server in the ClientKeyExchange. Until the server receives the ClientKeyExchange, it cannot validate the CertificateVerify message. (Chapter 4 contains a more detailed discussion of the specific computations each side employs.)
64
SSL & TLS Essentials: Securing the Web
3.8 Resuming a Previous Session As this chapter has demonstrated, establishing an SSL session may be complex, requiring sophisticated cryptographic calculations and a significant number of protocol messages. To minimize the overhead of these calculations and messages, SSL defines a mechanism by which two parties can reuse previously negotiated SSL parameters. W ith this method, the parties do not need to repeat the cryptographic negotiations or authentication calculations; they simply continue from where they left off before. As table 3- 13 and figure 3- 8 show, resuming earlier sessions notably streamlines the negotiation. Table 3-13 Resuming a Session Step
Action
1
Client sends ClientHello message specifying a previously established SessionID.
2
Server responds with ServerHello message agreeing to this SessionID.
Client 1
Server ClientHello
5
ChangeCipherSpec
6
Finished
ServerHello
2
ChangeCipherSpec
3
Finished
4
Figure 3-8 It only takes six messages to resume an SSL session.
SSL Operation
65
Step
Action
3
Server sends ChangeCipherSpec message to reactivate the session’s security options for messages it will send.
4
Server sends Finished message to let the client check the newly reactivated options.
5
Client sends ChangeCipherSpec message to reactivate the negotiated options for all future messages it will send.
6
Client sends Finished message to let the server check the newly reactivated options.
As the figure indicates, after the server sends it ServerH ello message, it immediately sends ChangeCipherSpec and Finished messages. Similarly, the client only sends ChangeCipherSpec and Finished messages once it receives the ServerH ello. In both cases, the ChangeCipherSpec directs each party to make the previously active cipher suite active once again. The key to session resumption is the ClientH ello message. The client proposes to resume a previous session by including that session’s SessionID value in its ClientH ello. (Recall from the discussion in section 3.3.1 that this value is left empty when an SSL session is first established; the server can supply a value in its ServerH ello response.) If the server wishes to accept the client’s proposal and resume the earlier session, it indicates its acceptance by including the same SessionID value in its own ServerH ello. If the server elects not to resume the earlier session, it sends a different SessionID value and the full negotiation then takes place. Although session resumption offers a great deal of convenience and efficiency to the systems that use it, those systems should exercise some care in employing it. W hen a single key is employed, encryption inevitably becomes less secure, both as more information is protected and as time passes. Potential attackers gain more data to analyze and more time to perform the analysis. Systems that consider using SSL session resumption should weigh those considerations against the expected efficiency and convenience gains.
4 Message Formats
W ith chapter 3’s description of the various SSL messages and how they’re used in mind, it is time to turn our attention to the detailed formats of those messages. Unfortunately, at least for those used to reading protocol specifications, the SSL standard uses a novel approach for describing that formatting, and although concise and easy to present in textual documents, the SSL descriptions may be a bit confusing for many networking professionals. For that reason, we’ll use a more conventional approach—pictures—in this chapter. The SSL protocol itself consists of several different components organized as figure 4- 1 illustrates. Four different sources create SSL messages: the ChangeCipherSpec protocol, the Alert protocol, the H andshake protocol, and applications like H T T P . The Record Layer protocol accepts all of these messages, then formats and frames them appropriately, and passes them to a transport layer protocol such as T CP for transmission.
HTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-1 SSL consists of several component protocols.
67
68
SSL & TLS Essentials: Securing the Web
This chapter begins with a discussion of the requirements SSL imposes on the transport protocol. It then describes the details of each SSL component. The final subsections document the cryptographic calculations and options available with SSL .
4.1 Transport Requirements The Secure Sockets Layer does not exist as a protocol in isolation. Rather, it depends on additional lower-level protocols to transport its messages between peers. The SSL protocol requires that the lower layer be reliable; that is, it must guarantee the successful transmission of SSL messages without errors and in the appropriate order. In all practical implementations, SSL relies on the Transmission Control Protocol (T CP ) to meet those requirements.
Server
Client TCP Segment
TCP Segment
1
ClientHello ServerHello
2
Certificate
3
ServerHelloDone
4
5
ClientKeyExchange
6
ChangeCipherSpec
7
Finished ChangeCipherSpec
8
Finished
9
Figure 4-2 SSL can combine messages within TCP segments.
TCP Segment
TCP Segment
Message Formats
69
Like all protocols that use T CP , SSL is self-delimiting. That means that SSL can determine the beginning and end of its own messages without assistance from the transport layer. To mark these beginnings and endings, SSL puts its own explicit length indicator in every message. This explicit delimiter lets SSL combine multiple SSL messages into single T CP segments. Figure 4- 2 shows a typical SSL handshake sequence. Note that nine separate SSL messages result in only four T CP segments. This combination conserves network resources and increases the efficiency of the SSL protocol.
4.2 Record Layer The Secure Sockets Layer uses its Record Layer protocol to encapsulate all messages. Figure 4- 3 emphasizes the Record Layer’s position in the SSL architecture. It provides a common format to frame Alert, ChangeCipherSpec, H andshake, and application protocol messages. The Record Layer formatting consists of 5 bytes that precede other protocol messages and, if message integrity is active, a message authentication code at the end of the message. The Record Layer is also responsible for encryption if that service is active. Figure 4- 4 shows the structure of Record Layer formatting. Table 4- 1 describes the figure’s individual fields, with the exception of encryption and message authentication codes. Those fields are the subject of section 4.7. In the previous figure, multibyte fields are shown in netHTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-3 The Record Layer formats and frames all SSL messages.
70
SSL & TLS Essentials: Securing the Web
Protocol
Version
Length...
...Length
Protocol Message(s) Encrypted (Optional)
Message Authentication Code (Optional)
Figure 4-4 SSL’s Record Layer encapsulates all protocol messages.
work byte order, sometimes known as big endian. H igher-order bytes (those that are most significant) appear first in the figures. Table 4-1 SSL Record Layer Fields Field
Size
Usage
Protocol
1 byte
Indicates which higher-layer protocol is contained in this SSL Record Layer message.
Version
2 bytes
The major and minor version of the SSL specification to which this message conforms. The current SSL version is 3.0 (but see the sidebar).
Length
2 bytes
The length of the following higher-layer protocol messages as a 16-bit binary number. The SSL specification requires that this 14 value not exceed 2 (16 384).
Protocol Messages
n bytes
Up to 2 (16 384) bytes of higher-layer protocol messages, including message authentication codes; the SSL Record Layer may concatenate multiple higher-layer messages into a single Record Layer message. Those messages must all belong to the same higher-layer protocol. Also, as a consequence of this potential concatenation, each higher-layer protocol itself must be self-delimiting.
14
The SSL specification defines the four different higher-layer protocols that the Record Layer can encapsulate. For any particular message, the Protocol field indicates the specific higher-layer protocol. Table 4- 2 lists the values for that field.
SSL vs. TLS The TLS protocol uses a version value of 3.1 instead of 3.0.
Message Formats
71
Table 4-2 Record Layer Protocol Types Type Value
Protocol
20
ChangeCipherSpec protocol
21
Alert protocol
22
Handshake protocol
23
Application protocol data
4.3 ChangeCipherSpec Protocol The ChangeCipherSpec protocol is the simplest possible protocol— it has only one message. That message is the ChangeCipherSpec message introduced in chapter 3. Despite this simplicity, though, SSL treats ChangeCipherSpec as a separate protocol. As figure 4- 5 shows, it has the same position in the SSL architecture as other protocols, including the Alert, H andshake, and application data. At first glance, this approach might seem like overkill. W hy not just consider the ChangeCipherSpec message to be part of the H andshake protocol, for example? More careful analysis, however, reveals that ChangeCipherSpec messages must be a separate protocol. O therwise, SSL couldn’t function. The requirement arises because of the record layer encapsulation. The SSL protocol applies security services such as encryption to entire Record Layer messages at once. The ChangeCipherSpec message, however, indicates a change in those services. (Typically, it activates them.) Since encryption cannot be HTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-5 ChangeCipherSpec messages are a separate protocol.
72
SSL & TLS Essentials: Securing the Web
Prot: 20
Vers: 3
1
CCS: 1
0
Len: 0
Figure 4-6 The ChangeCipherSpec message is very simple.
applied to parts of a message, it is impossible for any other message to follow a ChangeCipherSpec message within a Record Layer message. The most effective way to outlaw such combinations is to define ChangeCipherSpec as a separate protocol, and that is exactly 1 what the SSL specification does. The ChangeCipherSpec message itself is quite simple, as figure 4- 6 shows. The figure also shows how the entire message is encapsulated in a Record Layer message. (The Record Layer header is shaded in the figure.) The Record Layer has a protocol type value of 20, a protocol version of 3.0, and a length of 1. The ChangeCipherSpec message itself consists only of a single byte. It has the value 1.
4.4 Alert Protocol Systems use the Alert protocol to signal an error or caution condition to the other party in their communication. This function is important enough to warrant its own protocol, and SSL assigns it protocol type 21. As figure 4- 7 illustrates, the Alert protocol, like all SSL protocols, uses the Record Layer to format its messages. Figure 4- 8 shows the resulting message format. The Alert protocol itself defines two fields: a severity level and an alert description.
4.4.1 Severity Level The first field indicates the severity of the condition that caused the alert. Alerts can either be warnings (with a severity level of 1) or fatal _________________ 1 The SSL specification theoretically allows multiple ChangeCipherSpec messages in a single Record Layer message. That would create the same problems described above. Fortunately, however, there is no practical reason to combine messages that way, so the problem does not arise in real implementations.
Message Formats
73
HTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-7 The Alert protocol signals error conditions.
(severity level 2). Fatal alerts represent significant problems with the communication, and require that both parties terminate the session immediately. Warning alerts are not quite as drastic. A system receiving such an alert may decide to allow the present session to continue; however, both parties must invalidate the SSL session for any future connections, and they must not try to resume the session later.
4.4.2 Alert Description The second field in an Alert protocol describes the specific error in more detail. The field is a single byte, and it can take on the values listed in table 4- 3. Table 4-3 Alert Protocol Descriptions Value
Name
Meaning
0
CloseNotify
The sending party indicates explicitly that it is closing the connection; closure alerts have a warning severity level.
10
UnexpectedMessage
The sending party indicates that it received an improper message; this alert is always fatal.
Prot: 21
Vers: 3
0
2
Level
Desc.
Len: 0
Figure 4-8 Alert protocol messages have only two fields.
74
SSL & TLS Essentials: Securing the Web
Value 20
Name
Meaning
BadRecord-
The sending party indicates that its has received a message for which the message authentication code failed; this alert is always fatal.
MAC
30
DecompressionFailure
The sending party indicates that it received data that it could not decompress; this alert is always fatal.
40
HandShakeFailure
The sending party indicates that it was not able to negotiate an acceptable set of security services for the session; this alert is always fatal.
41
NoCertificate
The sending party (which is always a client) indicates that it has no certificate that can satisfy the server’s CertificateRequest.
42
BadCertificate
The sending party received a certificate that was corrupt (e.g. , its signature could not be verified).
43
Unsupported Certificate
The sending party received a certificate of a type that it could not support.
44
CertificateRevoked
The sending party received a certificate that has been revoked by the certificate authority.
45
CertificateExpired
The sending party received a certificate that has expired.
46
CertificateUnknown
The sending party indicates an unspecified problem with a certificate it received.
47
IllegalParameter
The sending party indicates that it received a handshake message with a parameter value that was illegal or inconsistent with other parameters.
4.5 Handshake Protocol Most of the SSL specification describes the H andshake protocol, as it is the one primarily responsible for negotiating SSL sessions. As figure 4- 9 shows, the H andshake protocol relies on the Record Layer to encapsulate its messages. Figure 4- 10 illustrates their general format,
SSL vs. TLS The TLS protocol eliminates alert description 41 (NoCertificate) and adds a dozen other values.
Message Formats
75
HTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-9 The Handshake protocol handles session negotiation.
and indicates that multiple handshake messages may be (and frequently are) combined into a single Record Layer message. Each handshake message begins with a single byte that defines the specific type of handshake message. Table 4- 4 lists the values that SSL defines. The type byte is followed by 3 bytes that define the length of the body of the handshake message. This length is measured in bytes and it does not include the type or length fields of the message. The remainder of this section describes each handshake message in detail. W ith one exception, the text follows the order of table 4- 4. ClientKeyExchange is discussed before the CertificateVerify, since the CertificateVerify message relies on information from the ClientKey-
Prot: 22
Vers: 3
...Length
Msg Type
0
Length...
Msg Length...
...Length
Handshake Message Msg Type
Msg Length
Handshake Message
...
Figure 4-10 Handshake protocol messages may be combined.
76
SSL & TLS Essentials: Securing the Web
Exchange. This approach also follows the order of messages in actual communication sessions more closely. Table 4-4 Handshake Protocol Types Value
Handshake Protocol Type
0
HelloRequest
1
ClientHello
2
ServerHello
11
Certificate
12
ServerKeyExchange
13
CertificateRequest
14
ServerHelloDone
15
CertificateVerify
16
ClientKeyExchange
20
Finished
4.5.1 HelloRequest The HelloRequest allows a server to ask a client to restart the SSL handshake negotiation. The message is not often used (and thus does not appear in any of the example scenarios of chapter 3), but it does give servers additional options. If a particular connection has been in use for so long that its security is unacceptably weakened, for example, the server can send a H elloRequest to force to client to negotiate new session keys. Figure 4- 11 shows the format of the H elloRequest message. As is clear from the figure, the H elloRequest is quite simple. It has a handshake message type of 0, and, since its message body is empty, its handshake message length is also 0.
Prot: 22
Vers: 3
0
Len: 0
4
Type: 0
Len: 0
0
0
Figure 4-11 HelloRequest messages use a simple format.
Message Formats
77
4.5.2 ClientHello
SSL vs. TLS The TLS protocol uses a version value of 3.1 instead of 3.0.
The ClientHello message normally begins an SSL handshake negotiation. Figure 4- 12 shows the fields that make up a ClientH ello message. ClientH ello messages have a handshake message type of 1, and a variable message body size. Two bytes immediately following the message length identify the SSL protocol version. Values of 3 and 0 for this field indicate SSL version 3.0. Although this information is essentially the same as that in the Record Layer encapsulation, in theory, at least, it allows the Record Layer and H andshake protocols to evolve independently. After the protocol version, the client inserts a 32-byte random number. The SSL specification suggests that clients use the current date and time (up to the second) as the first 4 bytes of this random number, but it does not demand any particular degree of accuracy. Including the date and time reduces the possibility of duplicating the random value, which, if it were to inadvertently occur, could comProt: 22
Vers: 3
...Length
Type: 1
...Length
Vers: 3
0
Length... Length...
0
ClientRandomValue (32 bytes) ID len
Session ID
CipherSuite length
CipherSuite 1
CipherSuite 2
CipherSuite n Cmp 2
Cmp len ...
Cmp 1 Cmp n
Figure 4-12 The ClientHello message proposes CipherSuites.
78
SSL & TLS Essentials: Securing the Web
promise security. A client, for example, might not be able to remember previous values in between reboots or resets. Including the date and time eliminates the possibility of duplicating an old value (assuming that the reboot or reset process takes at least one second). The byte after the random value contains the length, in bytes, of the session I D ; the session I D itself follows next. Unless a client wishes to resume a previous session, it leaves out the session I D (and sets the I D length to 0). The SSL protocol limits session I D s to 32 bytes or fewer, but it places no constraints on their content. Note, though, that since session I D s are transmitted in ClientH ellos before any encryption is enabled, implementations should not place any information in the session I D that might, if revealed, compromise security. The client’s list of proposed cipher suites follows the session I D . The list begins with a single byte indicating the size of the list. The size is measured in bytes, even though cipher suites themselves are 2-byte quantities. A client proposing five cipher suites, for example, would set the CipherSuite length field to 10. Table 4- 5 lists the SSL version 3.0 cipher suites; for details on each suite, refer to section 4.7. Table 4-5 SSL Version 3.0 CipherSuite Values Value
Cipher Suite
0,0
SSL_NULL_WITH_NULL_NULL
0,1
SSL_RSA_WITH_NULL_MD5
0,2
SSL_RSA_WITH_NULL_SHA
0,3
SSL_RSA_EXPORT_WITH_RC4_40_MD5
0,4
SSL_RSA_WITH_RC4_128_MD5
0,5
SSL_RSA_WITH_RC4_128_SHA
0,6
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
0,7
SSL_RSA_WITH_IDEA_CBC_SHA
0,8
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
0,9
SSL_RSA_WITH_DES_CBC_SHA
0,10
SSL_RSA_WITH_3DES_EDE_CBC_SHA
0,11
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
0,12
SSL_DH_DSS_WITH_DES_CBC_SHA
Message Formats
SSL vs. TLS The TLS protocol, by default, does not include support for the Fortezza/ DMS cipher suites, the last 3 listed in the table. In addition, the TLS standardization process makes it much easier to define new cipher suites. As of this writing, dozens have been proposed. In a similar manner, TLS makes it easier to define compression methods.
79
Value
Cipher Suite
0,13
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
0,14
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
0,15
SSL_DH_RSA_WITH_DES_CBC_SHA
0,16
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
0,17
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
0,18
SSL_DHE_DSS_WITH_DES_CBC_SHA
0,19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
0,20
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
0,21
SSL_DHE_RSA_WITH_DES_CBC_SHA
0,22
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
0,23
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
0,24
SSL_DH_anon_WITH_RC4_128_MD5
0,25
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
0,26
SSL_DH_anon_WITH_DES_CBC_SHA
0,27
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
0,28
SSL_FORTEZZA_DMS_WITH_NULL_SHA
0,29
SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA
0,30
SSL_FORTEZZA_DMS_WITH_RC4_128_SHA
The final fields of a ClientH ello message list the compression methods that the client proposes for the session. The list begins with a length byte; individual compression methods follow as single-byte values. As a practical matter, though, no compression methods other than the null compression have been defined for SSL version 3. Consequently, all current implementations set the compression length to 1 and the next byte to 0, indicating no compression.
4.5.3 ServerHello The ServerHello message closely resembles the ClientH ello message, as figure 4- 13 shows. The only significant differences are the value of the handshake message type (2 instead of 1) and the fact that the server specifies a single cipher suite and compression method rather than a list. The values identified by the server are those that the par-
80
SSL & TLS Essentials: Securing the Web
Prot: 22
Vers: 3
...Length
Type: 2
...Length
Vers: 3
0
Length... Length...
0
ServerRandomValue (32 bytes) ID len
Session ID
CipherSuite
Compr
Figure 4-13 The ServerHello message designates the CipherSuite.
ties will use for the session; the server must pick from among the choices the client proposed. The server may include, at its own discretion, a SessionID in the ServerH ello message. If the server includes this field, it will allow the client to attempt to reuse the session at some point in the future. Servers that don’t wish to allow a session to be reused may omit the SessionID field by specifying a length of 0.
4.5.4 Certificate The Certificate message is relatively straightforward, as figure 4- 14 makes clear. Its H andshake protocol message type is 11, and it begins with that message type and the standard handshake message length. The body of the message contains a chain of public key certificates. That chain begins with 3 bytes that indicate its length. (The value for the chain length is always three less than the value of the message length.) Each certificate in the chain also begins with a 3-byte field that holds the size of the certificate. The message first indicates the overall length of the certificate chain. Then it indicates the length of each certificate with 3 bytes immediately preceding the certificate. Certificate chains allow SSL to support certificate hierarchies. The first certificate in the chain is always that of the sender. The next cer-
Message Formats
81
Prot: 22
Vers: 3
...Length
Type: 11
...Length
0
Length...
Message Length...
Certificate Chain Length
Certificate 1 Length
Certificate 1
... Certificate n Length
Certificate n
Figure 4-14 The Certificate message contains a certificate chain.
tificate is that of the authority that issued the sender’s certificate. The third certificate (if one is present) belongs to the CA for that authority, and so on. The chain continues until it reaches a certificate for a root certificate authority.
4.5.5 ServerKeyExchange The ServerKeyExchange message carries key information from the server to the client. Its exact format depends on the cryptographic algorithms being used to exchange key information. The various formats—which correspond to Diffie-H ellman, RSA , and Fortezza key exchange protocols—are illustrated in figures 4- 15, 4- 16, and 4- 17. In all cases, the handshake message type has the value 12. Note that there is no explicit indication in the message itself of the particular format it employs. Clients must use knowledge they possess from previous handshake messages (the key exchange algorithm from the selected cipher suite in the ServerH ello message and the signing algorithm, if relevant, from the Certificate message) to interpret a ServerKeyExchange message correctly. The first of the three figures, figure 4- 15, shows a ServerKeyExchange message for Diffie-H ellman key exchange. The three Diffie-
82
SSL & TLS Essentials: Securing the Web
Prot: 22
Vers: 3
...Length
Type: 12
0
Length...
DH p length
...Length
Length...
DH p ...
...value
DH q length
DH q value
DH Ys length DH Ys value
Signed MD5 hash [if RSA signing] (16 bytes)
Signed SHA hash [if RSA or DSA signing] (20 bytes)
Figure 4-15 ServerKeyExchange carries Diffie-Hellman parameters.
H ellman parameters (p, q, and Ys) make up the first six fields after the message length. Each parameter includes its own length, followed by the actual value. For RSA key exchange messages (figure 4- 16), the key information consists of the RSA modulus and public exponent. Each of those parameters is carried in the message as a length, followed by the value.
Prot: 22
Vers: 3
...Length
Type: 12
...Length
0
Length...
RSA mod len
... mod value
Length...
RSA ...
RSA exp length
RSA exp value
Signed MD5 hash [if RSA signing] (16 bytes)
Signed SHA hash [if RSA or DSA signing] (20 bytes)
Figure 4-16 ServerKeyExchange carries RSA parameters.
Message Formats
83
Prot: 22
Vers: 3
0
Len: 0
132
Type: 12
Len: 0
0
128 Fortezza rs (128 bytes)
Figure 4-17 ServerKeyExchange carries Fortezza/ DMS parameters.
W hen the systems employ Fortezza/ D M S key exchange, the ServerKeyExchange message carries the Fortezza rs value. Since rs is always 128 bytes in size, there is no need for a separate length parameter in the ServerKeyExchange message. The handshake message length of 128 is sufficient, as figure 4- 17 indicates. The figures also show that a ServerKeyExchange may include signed parameters. Again, the exact format of those parameters depends on the specific signature algorithm the server supports. If server authentication is not part of a particular SSL session, then no signing is employed, and the ServerKeyExchange message ends with the DiffieH ellman, RSA , or Fortezza parameters. This option corresponds to the encryption-only scenario of section 3.3. If the server is not acting anonymously and has sent a Certificate message, however, then the signed parameters format depends on the signature algorithm indicated in the server’s certificate. If the server’s certificate is for RSA signing, then the signed parameters consist of the concatenation of two hashes: an M D hash and a SH A hash. Note that a single signature for the combined hashes is included, not separate signatures for each hash. If the server’s certificate is for D SA signing, then the signed parameters consist solely of a SH A hash. In either case, the input to the hash functions (and, thus, the data being signed) is constructed as in figure 4- 18. That data consists of the client’s random value (from the ClientH ello), followed by the server’s random value (in the ServerH ello), followed by the key exchange parameters (either the Diffie-H ellman parameters of figure 4- 15 or the RSA parameters of figure 4- 16). No signed parameters are included for Fortezza/ DM S key exchange.
84
SSL & TLS Essentials: Securing the Web
ClientHello Random Value
ServerHello Random Value
Server Key Parameters
H( )
hash
Figure 4-18 The server signs a hash of ServerKeyExchange parameters.
4.5.6 CertificateRequest To authenticate a client’s identity, a server first sends a CertificateRequest message. This message not only asks a client to send its certificate (and to sign information using the private key for that certificate), it also tells the client which certificates are acceptable to the server. Figure 4- 19 shows the format for this information. The CertificateRequest message is handshake message type 13; after the handshake type and length, the message contains a list of acceptable certificate types. This type list begins with its own length (a one-byte value), and consists of one or more single-byte values that identify specific certificate types. Table 4- 6 lists the defined certificate type values and their meanings.
Prot: 22
Vers: 3
...Length
Type: 13
...Length
CT len
...
CT n
Length...
0
Length... CT 1
CT 2
CAs length
CA 1 length
DN of CA 1
...
Figure 4-19 The CertificateRequest message asks for specific certificates.
Message Formats
85
Table 4-6 Certificate Types CT Value
Certificate Type
1
RSA signing and key exchange
2
DSA signing only
3
RSA signing with fixed Diffie-Hellman key exchange
4
DSA signing with fixed Diffie-Hellman key exchange
5
RSA signing with ephemeral Diffie-Hellman key exchange
6
DSA signing with ephemeral Diffie-Hellman exchange
20
Fortezza/ DMS signing and key exchange
In addition to certificate types, the CertificateRequest message also indicates which certificate authorities the server considers appropriate. This list begins with its own 2-byte length field and then contains one or more distinguished names. Each distinguished name has its own length field, and unambiguously identifies a certificate authority. For more details on distinguished names, see appendix A.
4.5.7 ServerHelloDone The ServerHelloDone message concludes the server’s part of a handshake negotiation. This message does not carry any additional information; it takes the simple form of figure 4- 20. The handshake message type is 14, and the message body length is 0.
4.5.8 ClientKeyExchange W ith a ClientKeyExchange message, the client provides the server with the key materials necessary for securing the communication; the exact format of the message depends on the specific key exchange algorithm the parties are using. The three possibilities that SSL allows are RSA Diffie-H ellman, and Fortezza/ DM S key exchange. Figures Prot: 22
Vers: 3
0
Len: 0
4
Type: 14
Len: 0
0
0
Figure 4-20 A ServerHelloDone message ends the server’s negotiation.
86
SSL & TLS Essentials: Securing the Web
Prot: 22
Vers: 3
...Length
Type: 16
0
Length... Length...
...Length
Encrypted Premaster Secret
Figure 4-21 For RSA, the ClientKeyExchange carries a premaster secret.
4- 21, 4- 22, and 4- 23 show the message formats for each. Note that the ClientKeyExchange message does not include an explicit indication of the format or key exchange algorithm. Rather, both parties infer the format by knowing the key exchange algorithm of the negotiated cipher suite. The first message format is for RSA key exchange. As figure 4- 21 indicates, the message has a handshake message type of 16, and the standard handshake message length. The message body itself consists solely of the encrypted premaster secret. This premaster secret is encrypted using the public key of the server, as received in the ServerKeyExchange or Certificate message. The premaster secret is a preliminary step in deriving the master secret for the session. (The master secret, discussed in detail in the next subsection, is the source of all the essential cryptographic data for the session.) For RSA key exchange, the premaster secret is simply 2 bytes for the version of SSL the client supports (3 and 0, for version 3.0) followed by 46 securely generated random bytes.
Prot: 22
Vers: 3
...Length
Type: 16
...Length
0
Length... Length...
DH Yc length
DH Yc value
Figure 4-22 For ephemeral Diffie-Hellman, ClientKeyExchange carries Yc.
Message Formats
87
Prot: 22
Vers: 3
...Length
Type: 16
0
Length... Length...
...Length
Fortezza Key Material (10 values)
Figure 4-23 For Fortezza, the ClientKeyExchange carries key material.
W hen the key exchange protocol is Diffie-H ellman, there are two possibilities for the ClientKeyExchange message. If the DiffieH ellman exchange is ephemeral, then the message takes the format of figure 4- 22. As the figure shows, the message body contains the client’s Yc value, preceded by the length of that value. If the DiffieH ellman exchange is explicit, then the Yc value is carried in the client’s certificate. In that case, the ClientKeyExchange will be empty. For Fortezza/ DM S key exchange, the ClientKeyExchange message of figure 4- 23 requires a set of parameters. Table 4- 7 lists the details. Table 4-7 Fortezza/ DMS ClientKeyExchange Parameters Parameter
Size
Size of the Yc value The Yc value (between 64 and 128 bytes), or nothing if
2 bytes 0 – 128 bytes
Yc is in the client’s certificate The client’s Rc value
128 bytes
The Key Encryption Algorithm’s public key, signed with the client’s DSS private key
20 bytes
The client’s write key, wrapped by the Token Encryption Key ( TEK)
12 bytes
The client’s read key, wrapped by the Token Encryption Key
12 bytes
The client’s initialization vector
24 bytes
The server’s initialization vector
24 bytes
The master secret initialization vector used for encrypting the premaster secret
24 bytes
The premaster secret, which is a securely generated random value, encrypted by the TEK
48 bytes
88
SSL & TLS Essentials: Securing the Web
Prot: 22
Vers: 3
...Length
Type: 15
0
Length... Length...
...Length
Signed MD5 hash [if RSA signing] (16 bytes)
Signed SHA hash (20 bytes)
Figure 4-24 The CertificateVerify message contains a signed hash.
4.5.9 CertificateVerify A client proves that it possesses the private key corresponding to its public key certificate with a CertificateVerify message. The message, as figure 4- 24 shows, consists of hashed information digitally signed by the client. The exact format of the information depends on whether the client’s certificate indicates RSA or D SA signing. For RSA certificates, two separate hashes are combined and signed: an M D hash and a SH A hash. One signature covers both hashes; there are not two separate signatures. For D SA certificates, only a SH A hash is created and signed. In all cases, the information that serves as input to the hash functions (and, thus, is the information that is digitally signed) is the same. Clients build the information in three steps. First they compute a special value known as the master secret. Section 4.6.3 describes how this master secret is used in various cryptographic computations; for now, we’re only concerned with how systems create a master secret. To calculate the master secret value, the client follows the process given in table 4- 8. Figure 4- 25 shows the calculation as an equation. Table 4-8 Master Secret Calculation Step 1
Action Begin with the 48-byte premaster secret. The client creates this value and sends it to the server in the ClientKeyExchange message. (See the previous section for details.)
Message Formats
SSL vs. TLS The TLS protocol uses a slightly different hash calculation for the CertificateVerify hash; it does not involve the master secret.
89
Step
Action
2
Calculate the SHA hash of the ASCII character ‘A’ followed by the premaster secret, the client’s random value (from the ClientHello) and the server’s random value (from the ServerHello).
3
Calculate the MD5 hash of the premaster secret, followed by the output of step 2.
4
Calculate the SHA hash of the two ASCII characters ‘BB’, the premaster secret, the client’s random value (from the ClientHello), and the server’s random value (from the ServerHello).
5
Calculate the MD5 hash of the premaster secret followed by the output of step 4.
6
Concatenate the results from step 5 to the results from step 3.
7
Calculate the SHA hash of the three ASCII characters ‘CCC’ followed by the premaster secret, the client’s random value (from the ClientHello), and the server’s random value (from the ServerHello).
8
Calculate the MD5 hash of the premaster secret, followed by the output of step 7.
9
Concatenate the results from step 8 to the results from step 6.
Once the client has the master secret value, it moves to the next stage in building the CertificateVerify message. The client creates a hash of the full contents of all previous SSL handshake messages exchanged during the session, followed by the master secret, followed by the single-byte value 00 1100 110, repeated 48 times for M D and 40 times for SH A . In the third step, the client creates a new hash using the same master secret, followed by the binary value 0 10 11100, repeated 48 times for M D and 40 times for SH A, followed by the output of the intermediate hash. Figure 4- 26 summarizes the entire process. master secret =
MD5(premaster
secret + SHA(‘A’ + premaster secret + ClientHello.random + ServerHello.random))
+ MD5(premaster
secret + SHA(‘BB’ + premaster secret + ClientHello.random + ServerHello.random))
+ MD5(premaster
secret + SHA(‘CCC’ + premaster secret + ClientHello.random + ServerHello.random))
Figure 4-25 The master secret requires six hash calculations.
90
SSL & TLS Essentials: Securing the Web
Handshake Messages...
Master Secret
48 bytes of 0x36
MD5
Master Secret
48 bytes of 0x5C
hash
MD5
hash
Figure 4-26 CertificateVerify has a signed hash of handshake messages.
4.5.10 Finished The final handshake message is type 20, the Finished message. This message indicates that the SSL negotiation is complete and that the negotiated cipher suite is in effect. Indeed, the Finished message is itself encrypted using the cipher suite parameters. Figure 4- 27 shows the format of a Finished message. As the figure indicates, though, the actual contents may be encrypted. W hen an encrypted message traverses networks, it contents are not visible. The Finished message body consists of two hash results, one using the M D hash algorithm and the other using the SH A hash algorithm. Both hash calculations use the same information as input, and both are calculated in two stages. Figure 4- 28 illustrates the process each system uses to calculate the SH A hash for its Finished message. The M D calculation is similar. First, the sender creates a hash of the full contents of all previous SSL handshake messages exchanged during the session, followed by an indication of the sender’s role, the master secret, and padding. The sender’s role is the hexadecimal value 4 4C4E 4 if the sender is a
Message Formats
91
Prot: 22
Vers: 3
0
Len: 0
56
Type: 20
Len: 0
0
36 MD5 hash (16 bytes)
Handshake message Encrypted
SHA hash (20 bytes)
MD5 Message Authentication Code (16 bytes)
MAC
Figure 4-27 The Finished message uses negotiated security services. SSL vs. TLS The TLS protocol uses a slightly different hash calculation for the Finished message.
client, 53525652 if a server. The padding is the binary value 00 1100 110, repeated 48 times for M D and 40 times for SH A . For the second stage, the sender creates a new hash using the master secret, followed by an alternate padding and the output of the intermediate hash. The second-stage padding is the binary value 0 10 11100, repeated 48 times for M D and 40 times for SH A . Handshake Messages...
Sender's Role
Master Secret
40 bytes of 0x36
SHA
Master Secret
40 bytes of 0x5C
hash
SHA
hash
Figure 4-28 The Finished messages includes a signed hash.
92
SSL & TLS Essentials: Securing the Web
Note the similarity between this calculation and the hash calculation for the CertificateVerify message (see section 4.5.9). There are two differences, however. First, the Finished hash includes the sender’s role while the CertificateVerify hash does not. (Of course, only clients can send CertificateVerify messages.) Second, the set of handshake messages will be different when the two hashes are calculated. In either case, note that SSL does not consider ChangeCipherSpec messages to be handshake messages (they are not part of the H andshake protocol), so their contents are not included in the hash.
4.6 Securing Messages The Finished message is the first to actually use the security services that SSL negotiates. Once those services are in place, however, all subsequent messages in the session also make use of them—even additional handshake messages, should the parties want to renegotiate new security parameters. The most important messages, though, are application protocol messages. Those messages contain the actual data that the two parties want to exchange; the security requirements of that data are what make SSL necessary. Figure 4- 29 shows how application data fits in the SSL architecture. The SSL protocol provides both encryption and message authentication codes for the data, ensuring that it is kept confidential and that it is not altered. The following two subsections detail each of these services. HTTP
Secure Sockets Layer
Change Cipher
Handshake
Alert
Application
Record Layer
TCP
Figure 4-29 Applications use the Record Layer directly.
Message Formats
93
4.6.1 Message Authentication Code The Secure Sockets Layer supports two different algorithms for a message authentication code (M AC ). As figures 4- 30 and 4- 31 indicate, those algorithms are RSA’s Message Digest 5 (M D ) and the Secure H ash Algorithm (SH A). The particular algorithm for any given communications is determined by the negotiated cipher suite. O ther than the algorithm itself, the only difference between the two is the size of the hash. The M D algorithm generates a 16-byte hash value, while SH A creates a 20-byte value. In both cases, the hash result is simply appended to the application data. The SSL Record Layer length value includes both the application data and the authentication code. Also, as the figures highlight, both the application data and the check value are encrypted. To calculate (or verify) the message authentication code, a system uses a two-stage hash very similar to hash computations in the handshake messages. It starts with a special value known as the M AC write secret, followed by padding, a 64-bit sequence number, a 16-bit value with the length of the content, and, finally, by the content itself. The padding is the single-byte value 00 1100 110, repeated 48 times for M D and 40 times for SH A . For the second stage, the system uses the M AC write secret, padding, and the output of the intermediate hash. This time, the padding is the binary value 0 10 11100, repeated 48 times for M D and 40 times for SH A This result is the M AC value that appears
Record Layer
Prot: 23
Vers: 3
0
Length...
...Length
Application Data Encrypted
MD5 Message Authentication Code (16 bytes)
MD5 MAC
Figure 4-30 The MD5 MAC protects the integrity of application data.
94
Record Layer
SSL & TLS Essentials: Securing the Web
Prot: 23
Vers: 3
0
Length...
...Length
Application Data
Encrypted
SHA Message Authentication Code (20 bytes)
SHA MAC
SSL vs. TLS
Figure 4-31 The SHA MAC also protects application data integrity.
in the SSL messages. Figure 4- 32 shows the process for an sage authentication code.
M D
mes-
The two special values included in this calculation are the M AC write secret and the sequence number. Section 4.6.3 discusses the M AC write secret, along with other important cryptographic parameters. The sequence number is a count of the number of messages the parMAC secret
48 bytes of 0x36
seq. num.
proto. type
msg. len.
message data
MD5
MAC secret
48 bytes of 0x5C
The TLS protocol uses a completely different calculation for the message authentication codes. See section 5.4.3.
hash
MD5
MAC
Figure 4-32 SSL calculates a message authentication code in two stages.
Message Formats
95
ties have exchanged. Its value is set to 0 with each ChangeCipherSpec message, and it is incremented once for each subsequent SSL Record Layer message in the session.
4.6.2 Encryption The SSL protocol supports both stream and block encryption ciphers, although the message formats differ slightly. The examples illustrated so far show stream encryption algorithms; they represent the simplest case. Figure 4- 33 shows that the information to be encrypted is simply the application data, followed by the message authentication code. W ith stream encryption algorithms, no other parameters are required. For block encryption, on the other hand, the data to be encrypted must be a multiple of the block size. And, since application data can rarely be forced into specific sizes, block encryption algorithms rely on padding. In this case, padding is used in the sense described in section 2.2.1. D ummy data added to the application data to force its length to be a multiple of the block size. In order to successfully extract the actual application data once the information has been encrypted, the recipient must know where the application data ends and the padding begins. This requirement leads to the format of figure 4- 34. As that figure indicates, the very last byte of the encrypted
Record Layer
Prot: 23
Vers: 3
0
Length...
...Length
Application Data Encrypted
Message Authentication Code
Figure 4-33 SSL can use stream encryption to protect application data.
96
Record Layer
SSL & TLS Essentials: Securing the Web
Prot: 23
Vers: 3
0
Length...
...Length
Application Data
Encrypted
Message Authentication Code
Message Padding Pad len
Figure 4-34 SSL can also use block encryption ciphers.
information contains the length of the padding. After decrypting the block, a recipient counts backward from the padding length byte to find the end of application data.
4.6.3 Creating Cryptographic Parameters The Secure Socket Layer’s encryption and message authentication code algorithms rely on a collection of secret information known only to the communicating parties. Indeed, establishing that information securely is one of the three major purposes of the SSL handshake. (The other two are authenticating identity and negotiating cipher suites.) The starting point for all the shared secret information is the master secret, previously discussed in the context of the CertificateVerify message. The master secret is, in turn, based on the premaster secret. In most cases, the client picks the premaster secret by generating a secure random number. The client then encrypts this value using the server’s public key, and sends it to the server in the ClientKeyExchange message. (For Diffie-H ellman key exchange, the result of the conventional Diffie-H ellman calculation serves as the premaster se-
Message Formats
97
cret. The ClientKeyExchange completes the Diffie-H ellman calculation.) In all cases, once the server has received the ClientKeyExchange message, both parties know the same premaster secret. Each then takes the premaster secret and inputs it, along with the random values each chose for its H ello message, into secure hash functions. After combining the hash outputs in prescribed ways, both systems will have the same master secret. Tables 4- 9 and 4- 10 show the details of these two processes. The first summarizes the rules for creating the premaster secret. Table 4-9 Creating the Premaster Secret Key Exchange
Action
RSA
Client generates the premaster secret as 2 bytes containing the SSL version (binary 3 and then 0), followed by 46 securely generated random bytes.
Fortezza/ DMS
Client generates the premaster secret as 48 securely generated random bytes.
Diffie-Hellman
The key created by the Diffie-Hellman computation (usually referred to as Z) is used as the premaster secret.
Table 4- 10 shows how each party calculates the master secret from the premaster secret. Figure 4- 35 illustrates the information graphically, and figure 4- 36 shows the same steps in the form of an equation. Table 4-10 Calculating the Master Secret Step
Action
1
Calculate the SHA hash of the ASCII character ‘A’ followed by the premaster secret, followed by the client’s random value (from the ClientHello), followed by the server’s random value (from the ServerHello).
2
Calculate the MD5 hash of the premaster secret, followed by the output of step 1.
3
Calculate the SHA hash of the two ASCII characters ‘BB’ followed by the premaster secret, followed by the client’s random value (from the ClientHello), followed by the server’s random value (from the ServerHello).
98
SSL & TLS Essentials: Securing the Web
Step
Action
4
Calculate the MD5 hash of the premaster secret followed by the output of step 3.
5
Concatenate the results from step 4 to those from step 2.
6
Calculate the SHA hash of the three ASCII characters ‘CCC’ followed by the premaster secret, followed by the client ’s random value (from the ClientHello), followed by the server’s random value (from the ServerHello).
7
Calculate the MD5 hash of the premaster secret, followed by the output of step 6.
8
Concatenate the results from step 7 to the results from step 5.
'A'
Premaster Secret
Client Random
Premaster Secret
'BB'
'CCC'
Server Random
Client Random
Premaster Secret
Server Random
Client Random
Server Random
SHA
Premaster Secret
hash
SHA
Premaster Secret
MD5
MD5
hash
SHA
Premaster Secret
hash
MD5
hash
hash
hash
Master Secret
Figure 4-35 SSL uses hash functions to generate the master secret.
Message Formats
99
master secret =
MD5(premaster
secret + SHA(‘A’ + premaster secret + ClientHello.random + ServerHello.random))
+ MD5(premaster
secret + SHA(‘BB’ + premaster secret + ClientHello.random + ServerHello.random))
+ MD5(premaster
secret + SHA(‘CCC’ + premaster secret + ClientHello.random + ServerHello.random))
Figure 4-36 The master secret requires six hash calculations.
SSL vs. TLS The TLS protocol defines a completely new process for generating key material. See section 5.4.4.
Once each system has calculated the master secret, it is ready to generate the actual secret information needed for the communication. The first step in that process is determining how much secret information is necessary. The exact amount depends on the particular cipher suite and parameters that the two parties have negotiated, but generally consists of the information that table 4- 11 lists. Each party selects from that table the information that is appropriate for the negotiated cipher suite, and then counts the number of bytes each value requires based on the negotiated cipher suite parameters. The result is the size of the required secret information. Table 4-11 Shared Secret Information Parameter
Secret Information
client write MAC secret
The secret value included in the message authentication code for messages generated by the client.
server write MAC secret
The secret value included in the message authentication code for messages generated by the server.
client write key
The secret key used to encrypt messages generated by the client.
server write key
The secret key used to encrypt messages generated by the server.
client write IV
The initialization vector for encryption performed by the client.
server write IV
The initialization vector for encryption performed by the server.
To create shared secret information, both parties use a process very similar to the one that yields the master secret in the first place. Figure 4- 37 illustrates the approach. They first calculate the SH A hash of
100
SSL & TLS Essentials: Securing the Web
'A'
Master Secret
Server Random
Master Secret
'BB'
'CCC'
Client Random
Server Random
Master Secret
Client Random
Server Random
Client Random
SHA
Master Secret
MD5
hash
SHA
Master Secret
hash
SHA
.
MD5
Master Secret
hash
.
.
MD5
hash
hash
hash
hash
hash
...
Key Material
Figure 4-37 The master secret allows SSL to calculate key material.
the ASCI I character ‘A ’ followed by the master secret, followed by the server’s random value (from the ServerH ello), followed by the client’s random value (from the ClientH ello). Systems then calculate the M D hash of the master secret, followed by the results of the intermediate hash. If the resulting 16-byte value is not sufficient for all the secret information, they repeat the process, but with the ASCI I characters ‘BB ’ instead of ‘A .’ The parties continue repeating this calculation (with ‘CCC ,’ then ‘D DDD ,’ then ‘EEEEE ,’ and so on) as many times as necessary to generate enough secret informa-
Message Formats
101
key material =
MD5(master
secret + SHA(‘A’ + master secret + ClientHello.random + ServerHello.random))
+ MD5(master
secret + SHA(‘BB’ + master secret + ClientHello.random + ServerHello.random))
+ MD5(master
secret + SHA(‘CCC’ + master secret + ClientHello.random + ServerHello.random))
+ …
Figure 4-38 The master secret seeds calculation of key material.
tion. Figure 4- 38 shows the calculations as an equation. The results yield the values of table 4- 11 in order, as figure 4- 39 indicates. In many cases, the values of table 4- 11 directly supply the secret information needed for the cryptographic computations. One particular class of cipher suites, however, requires an additional refinement. Those cipher suites are known as exportable, and generally use smaller key sizes for encryption. (Such cipher suites are said to be exportable because systems that only use such cipher suites are, due to U S. laws and regulations, generally easier to export from the United States.) For exportable cipher suites, the final secret key used for messages encrypted by the client is the M D hash of the client write key from table 4- 11, followed by the client’s random value (from the ClientH ello), and followed by the server’s random value (from the ServerH ello). Similarly, the final secret key for messages encrypted by the server is the M D hash of the server write key from the table, followed by the server’s random value, and followed by the client’s random value. Note, the initialization vectors are not taken from table 4- 11, but are simply the M D hash of the client and server’s random values Key Material
hash
hash
client MAC
hash
hash
server MAC
hash
hash
client cipher
hash
hash
server cipher
hash
hash
client IV
Figure 4-39 SSL extracts secret values from key material.
hash
hash
server IV
102
(for the client write the server write I V).
SSL & TLS Essentials: Securing the Web
I V)
or the server and client’s random values (for
4.7 Cipher Suites Version 3.0 of the SSL specification defines 31 different cipher suites, representing a varied selection of cryptographic algorithms and parameters. Table 4- 12 lists those cipher suites, and indicates the key exchange, encryption, and hash algorithms each employs. The first three columns, when combined, form the official SSL name of the cipher suite. The rightmost column marks those cipher suites considered exportable. Table 4-12 Cipher Suite Algorithms Key Exchange
Encryption
Hash
Exportable
SSL_NULL_
WITH_NULL_
NULL
•
SSL_RSA_
WITH_NULL_
MD5
•
SSL_RSA_
WITH_NULL_
SHA
•
SSL_RSA_EXPORT_
WITH_RC4_40_
MD5
•
SSL_RSA_
WITH_RC4_128_
MD5
SSL_RSA_
WITH_RC4_128_
SHA
SSL_RSA_EXPORT_
WITH_RC2_CBC_40_
MD5
SSL_RSA_
WITH_IDEA_CBC_
SHA
SSL_RSA_EXPORT_
WITH_DES40_CBC_
SHA
SSL_RSA_
WITH_DES_CBC_
SHA
SSL_RSA_
WITH_3DES_EDE_CBC_
SHA
SSL_DH_DSS_EXPORT_
WITH_DES40_CBC_
SHA
SSL_DH_DSS_
WITH_DES_CBC_
SHA
SSL_DH_DSS_
WITH_3DES_EDE_CBC_
SHA
SSL_DH_RSA_EXPORT_
WITH_DES40_CBC_
SHA
SSL_DH_RSA_
WITH_DES_CBC_
SHA
SSL_DH_RSA_
WITH_3DES_EDE_CBC_
SHA
SSL_DHE_DSS_EXPORT_
WITH_DES40_CBC_
SHA
SSL_DHE_DSS_
WITH_DES_CBC_
SHA
SSL_DHE_DSS_
WITH_3DES_EDE_CBC_
SHA
SSL_DHE_RSA_EXPORT_
WITH_DES40_CBC_
SHA
SSL_DHE_RSA_
WITH_DES_CBC_
SHA
SSL_DHE_RSA_
WITH_3DES_EDE_CBC_
SHA
SSL_DH_anon_EXPORT_
WITH_RC4_40_
MD5
SSL_DH_anon_
WITH_RC4_128_
MD5
• •
•
•
•
•
•
Message Formats
103
Key Exchange
Encryption
Hash
SSL_DH_anon_EXPORT_
WITH_DES40_CBC_
SHA
SSL_DH_anon_
WITH_DES_CBC_
SHA
SSL_DH_anon_
WITH_3DES_EDE_CBC_
SHA
SSL_FORTEZZA_DMS_
WITH_NULL_
SHA
SSL_FORTEZZA_DMS_
WITH_FORTEZZA_CBC_
SHA
SSL_FORTEZZA_DMS_
WITH_RC4_128_
SHA
Exportable
4.7.1 Key Exchange Algorithms The SSL specification defines a total of 14 different key exchange algorithms, counting the available variations. Table 4- 13 lists those algorithms. For those key exchange algorithms that are part of exportable cipher suites, the table also indicates the size limit that 2 U S. export policy defines for the algorithm. Table 4-13 Key Exchange Algorithms Algorithm
Description
Key Size Limit
DHE_DSS
Ephemeral Diffie-Hellman with DSS signatures
none
DHE_DSS_EXPORT
Ephemeral Diffie-Hellman with DSS signatures
DH: 512
DHE_RSA
Ephemeral Diffie-Hellman with RSA signatures
none
DHE_RSA_EXPORT
Ephemeral Diffie-Hellman with RSA signatures
DH: 512
DH_anon
Anonymous Diffie-Hellman
none
DH_anon_EXPORT
Anonymous Diffie-Hellman
DH: 512
DH_DSS
Diffie-Hellman with DSS certificates
none
bits
bits
RSA: none
DH_DSS_EXPORT
Diffie-Hellman with DSS certificates
DH: 512
DH_RSA
Diffie-Hellman with RSA certificates
none
DH_RSA_EXPORT
Diffie-Hellman with RSA certificates
DH: 512
bits
bits
bits
RSA: none
FORTEZZA_DMS
Fortezza/ DMS
NULL
No key exchange
RSA
RSA key exchange
none
RSA_EXPORT
RSA key exchange
RSA: 512
bits
_________________ 2 During the writing of this book, the U S government announced its intention to revise its export policy so as to eliminate these restrictions in many, but not all, cases.
104
SSL & TLS Essentials: Securing the Web
4.7.2 Encryption Algorithms The SSL protocol supports nine different encryption algorithms, counting variations. They can be found in table 4- 14. The table also shows the key material size (derived from the master secret, as section 4.6.3 describes), the effective key size, and the initialization vector size. (In all cases other than FORT EZZA _CBC , the I V size is also the block size.) Table 4-14 Encryption Algorithms Algorithm
Type
Key Material
Key Size
IV Size
3DES_EDE_CBC
Block
24 bytes
168 bits
8 bytes
DES_CBC
Block
8 bytes
56 bits
8 bytes
DES40_CBC
Block
5 bytes
FORTEZZA_CBC
Block
IDEA_CBC
Block
NULL
Stream
RC2_CBC_40
Block
RC4_128 RC4_40
40 bits
8 bytes
96 bits
20 bytes
16 bytes
128 bits
8 bytes
0 bytes
0 bits
5 bytes
40 bits
Stream
16 bytes
128 bits
Stream
5 bytes
40 bits
8 bytes
4.7.3 Hash Algorithms The final component of an SSL cipher suite is the hash algorithm used for the message authentication code. Table 4- 15 shows the three different hash algorithms SSL defines. It also shows the padding size used in several SSL calculations, including the M AC itself. Table 4-15 Hash Algorithms Algorithm
Hash Size
Padding Size
MD5
16 bytes
48 bytes
NULL
0 bytes
0 bytes
SHA
20 bytes
40 bytes
SSL vs. TLS The TLS standard does not include definitions for the Fortezza/ DMS cipher suites. In addition, the TLS standardization process allows for many more cipher suites to be added to the protocol.
5 Advanced SSL
In the two previous chapters, we’ve seen how SSL normally operates and examined the detailed format of its messages. This chapter examines some additional facets of the protocol, advanced features that augment its normal operation. Those advanced features include compatibility with earlier versions of the SSL protocol and special support for strong cryptography under U S. export restrictions. The chapter concludes with a comprehensive explanation of the difference between SSL and T LS.
5.1 Compatibility with Previous Versions The latest version of the SSL specification is the third major version of the SSL protocol. And, although SSL version 3.0 is well established, some existing systems may support only earlier versions of the protocol. One of the decisions facing developers of current SSL systems is whether to support communication with those older implementations. Adding such support will require additional work, and may result in slightly weaker security. Supporting older versions will provide the greatest degree of interoperability, however. Fortunately, SSL version 3.0 mechanisms can easily accommodate compatibility with earlier versions. The details of SSL versions prior to 3.0 are outside the scope of this book. H owever, since compatibility with version 2.0 remains a feature of the latest popular Web browsers, even engineers whose only concern is version 3.0 may find it useful to understand some aspects of version 2.0 compatibility. Network engineers looking at captured
105
106
SSL & TLS Essentials: Securing the Web
protocol traces, for example, may well discover version 2.0 ClientH ello messages crossing their networks. To aid in such understanding, this section looks at how systems negotiate SSL versions, the details of the version 2.0 ClientH ello message, and version 2.0 cipher suites.
5.1.1 Negotiating SSL Versions If a system wants to interoperate with both SSL version 2.0 and SSL version 3.0 systems, one obvious requirement is that the system itself must implement both SSL version 2.0 and version 3.0. It uses the version 2.0 implementation to communicate with other version 2.0 systems, and the version 3.0 implementation to communicate with version 3.0 systems. This simple statement raises the obvious question: H ow does the system know which is which? The answer lies in the very first message that the two parties exchange—the ClientH ello. The next subsection describes the format of this message in detail, but the essential element of this message is this: a client prepared to support either version 2.0 or version 3.0 sends a version 2.0 ClientH ello message. The message is a perfectly legitimate version 2.0 message, but it contains enough hints so that a version 3.0 server, if it’s paying attention, can recognize that the client also supports version 3.0. Such a server responds using the SSL version 3.0 protocol, and a normal version 3.0 handshake ensues. Figure 5- 1 shows how this negotiation works when the server only implements SSL version 2.0. Such a server recognizes the version 2.0 ClientH ello message, but it is oblivious to the special 3.0 hints. The server treats it like any other version 2.0 message and continues the version 2.0 handshake negotiation. In contrast, Figure 5- 2 shows how a version 3.0 server responds. The server is not only capable of understanding the version 2.0 ClientH ello, it also understands the special hints. The server, therefore, recognizes that the client is capable of SSL version 3.0. It uses the standard version 3.0 handshake process for the rest of the communication. The server’s responsibilities are fairly simple. If it receives a standard version 2.0 ClientH ello (without the version 3.0 hints), it responds
Advanced SSL
107
Dual Version Client
v2 Server
v2 ClientHello (with hints)
1
v2 ServerHello
2
v2 handshake continues ...
Figure 5-1 Clients can successfully negotiate with a version 2.0 server.
using SSL version 2.0. If it receives a version 3.0 ClientH ello or a version 2.0 ClientH ello with the special hints, it responds using version 3.0. Even servers that do not support SSL version 2.0 should still accept and respond to the version 2.0 ClientH ello with the special hints. Such servers can reject other version 2.0 messages. There is one final twist to this process. Since version 3.0 has security improvements over version 2.0, systems should ensure that they’re using version 3.0 in every possible circumstance, even when a mali-
Dual Version Client 1
v3 Server
v2 ClientHello (with hints) v3 ServerHello
2
v3 handshake continues ...
Figure 5-2 Clients can also negotiate with a version 3.0 server.
108
SSL & TLS Essentials: Securing the Web
cious party tries to trick them into falling back to version 2.0. The most likely threat is from a malicious system that interposes itself between the client and server. D uring the negotiation phase, it pretends to be a server when talking to the client, then turns around and pretends to be the client when talking to the server. Figure 5- 3 shows how such a man-in-the-middle attack might unfold. As the figure shows, the attacker modifies the ClientH ello to remove the special version 3.0 hints. This modification will force the client and server to use SSL version 2.0, even though both are capable of the newer (and more secure) version 3.0. The SSL specification defines a special technique that allows two systems to detect the attack if it were to occur. The client takes the first step. W hen a dual-version client ends up using SSL version 2.0 rather than version 3.0, it uses special padding values in the version 2.0 ClientKeyExchange message. In particular, it sets the last 8 bytes of the padding to the special binary value 000000 11. This value indicates that the client could have supported version 3.0. Normal version 2.0 servers will be oblivious to the padding value. D ual version servers
Man-in-the-Middle Attacker
Dual Version Client
1
v2 ClientHello (with v3 hints) v2 ServerHello
2
4
Dual Version Server
v2 ClientHello (hints removed) v2 ServerHello
3
v2 handshake continues ...
Figure 5-3 SSL protects against a version rollback attack like this one.
Advanced SSL
109
that receive a version 2.0 ClientKeyExchange, however, can look for the special padding value. If the server finds it, then an attack is occurring. Note that the attacker will not be able to modify the padding (and thus remove the incriminating 000000 11 bytes) because the client encrypts that information using the server’s public key.
5.1.2 SSL Version 2.0 ClientHello Even servers that support only SSL version 3.0 may still need to understand version 2.0 ClientH ello messages. As the previous subsection indicated, they may receive such a message from a dual version client. The actual message contents are similar to those of the version 3.0 ClientH ello, but the format is significantly different. Figure 5- 4 shows a typical version 2.0 ClientH ello as a dual version client might build it. As the figure shows, the Record Layer is only 2 bytes, and consists of a protocol type (128 is used for handshake messages) and a single byte for the message length. The actual handshake v2.0 Record Layer
Handshake Protocol minor version
128
ClientHello
Len
1
3
0
cipher suites length
sess. ...
... id len
challenge length
cipher...
...suite 1
major version
cipher suite ...
... 2
cipher suites
cipher suite n
Session ID
Challenge
Figure 5-4 Version 2.0 ClientHello messages differ from version 3.0.
110
SSL & TLS Essentials: Securing the Web
message follows, beginning with the message type of 1. This value indicates a ClientH ello message. A 2-byte version indication follows. Notice that the version is set to 3.0, even though this is a version 2.0 ClientH ello. In effect, the client lies about the version number for the message. This version number is the hint mentioned previously. It tells the server that, even though the client is sending a version 2.0 message, the client is capable of using version 3.0. A version 2.0 server will be able to parse the message. W hen it sees a version number greater than it can support, though, it just responds with a version 2.0 ServerH ello. That response directs the client to fall back to version 2.0. The rest of the message is relatively straightforward, but note that version 2.0 cipher suites are 3 bytes in length, rather than 2. This fact provides a convenient way for dual version clients to propose version 3.0 cipher suites within a version 2.0 ClientH ello. The client simply prepends a single byte of 0 to the 2-byte cipher suite value from table 4- 5. For example, the cipher suite SSL SSL RSAW I T H RC12M D (represented in version 3.0 messages as 0,4) becomes, in version 2.0 messages, 0,0,4. Since all legitimate 2.0 cipher suites begin with a value other than 0, a dual version server will be able to recognize the modified version 3.0 cipher suites correctly.
5.1.3 SSL Version 2.0 Cipher Suites To thoroughly understand version 2.0 ClientH ello messages in the context of version 3.0 compatibility, it is necessary to recognize the version 2.0 cipher suites. Table 5- 1 lists the values defined in the SSL version 2.0 specification. Table 5-1 SSL Version 2.0 Cipher Suite Values Value
Cipher Suite
1,0,128
SSL_RC4_128_WITH_MD5
2,0,128
SSL_RC4_128_EXPORT40_WITH_MD5
3,0,128
SSL_RC2_CBC_128_CBC_WITH_MD5
4,0,128
SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
Advanced SSL
111
5,0,128
SSL_IDEA_128_CBC_WITH_MD5
6,0,64
SSL_DES_64_CBC_WITH_MD5
7,0,192
SSL_DES_192_EDE3_CBC_WITH_MD5
5.2 Netscape International Step-Up One of the challenges facing SSL implementations, and indeed, security products in general, is complying with various laws and regulations that restrict the use of cryptography. The United States, for example, currently treats cryptography like weapons and limits the ability of U S. companies to export cryptographic products. In principle, the goal of this policy is to avoid letting cryptographic products fall into the hands of terrorists and other criminals, thereby hamper1 ing the ability of intelligence agencies to combat such criminals. The problem is particularly acute for companies such as Netscape and Microsoft. Those companies would like to make their Web browsers as widely available as possible, including making them downloadable from the Internet. Browser developers would also like to include the strongest possible cryptography in their products, however, and those two goals are in direct conflict with each other. Laws and regulations prevent browser developers from exporting software with strong cryptography, including distributing software using the Internet. Such laws, while perhaps hindering the ability of criminals to commit crimes, certainly interfere with legitimate commerce. A bank, for example, might like to offer banking services over the Internet, even to customers outside the United States. Potential customers might balk, however, if they knew that their Web transactions were secured only by the deliberately weakened cryptography required to satisfy U S. export laws. _________________ 1 During the writing of this book, the U S government announced its intention to revise its export policy so as to eliminate these restrictions in many, but not all, cases.
112
SSL & TLS Essentials: Securing the Web
Both Netscape and Microsoft have worked with the U S. government to develop a compromise approach. The Netscape approach is known as International Step-Up, and it is the subject of this section. (Microsoft’s very similar Server Gated Cryptography is the topic of the next section.)
5.2.1 Server Components International Step-Up requires no changes at all to an SSL server implementation. The server simply responds normally to all SSL version 3.0 messages. The server does supply a critical element in the International Step-Up process, though—a special International Step-Up certificate. Note that the SSL protocol itself does not address the contents of public key certificates. It simply carries them (whatever their contents) in Certificate messages. International Step-Up server certificates are special in two important ways. First, they contain a special attribute in the extended key usage (extKeyUsage) field. Appendix A discusses this field (and certificates in general) in more detail, but the special attribute for Netscape’s International Step-Up includes the object identifier value of 2.16.840 .1.113730.4.1. The second important characteristic of International Step-Up server certificates is the certificate authority that issues them. All such certificates must be issued under the VeriSign Class 3 authority. (In theory, it would be possible for any authority to issue International Step-Up certificates; however, as of this writing, Netscape’s web browser clients are pre-configured to only recognize VeriSign as a legitimate International Step-Up certificate authority.)
5.2.2 Client Components Most of the action with International Step-Up happens in the client. Clients that wish to use International Step-Up are generally those that have been licensed for export (otherwise, they would not be subject to export laws restricting the strength of their cryptography). Such clients are not free to use strong cryptography in all cases. If they support International Step-Up, however, the client has a latent capability to support strong cryptography. The client is designed to
Advanced SSL
113
keep this capability hidden from normal servers (thus it conforms to U S. export regulations), but when it recognizes a server’s International Step-Up certificate, it reveals its hidden capability and negotiates strong cryptography. Figure 5- 5 shows the complete message exchange. Note that in message 1, the client only proposes to support export strength encryption. The client does this even though it is actually capable of stronger encryption; clients must do this to obtain the necessary U S. export licenses. The server has no choice but to select a cipher suite from among those proposed by the client, so the ServerH ello message will indicate export-strength encryption. (At this point, the server does not know that the client supports International Step-Up.) Once the client receives message 3, however, it knows that the server is capable of supporting International Step-Up. It continues with the regular handshake negotiation (messages 4 through 9), but instead of beginning the exchange of application data, it starts a new negotiation with a second ClientH ello message (message 10). This message proposes full-strength cipher suites. The server responds to this appropriately, and at the end of the second handshake with message 18, both parties have negotiated a full-strength cipher suite.
5.2.3 Controlling Full-Strength Encryption International Step-Up is a compromise between the needs of the U S. government to limit the use of full-strength cryptography abroad and the desire of browser manufactures to offer the strongest possible product to the widest possible audience. Because the U S. government has verified that Netscape’s Web browser only renegotiates fullstrength cryptography after the server has produced a special International Step-Up certificate, Netscape is free to distribute its browser worldwide, even by Internet download. Controlling the use of fullstrength encryption becomes a matter of controlling the issuance of International Step-Up certificates. Currently, only one certificate authority (VeriSign) is able to issue International Step-Up certificates, and the U S. government controls which companies are allowed to purchase those certificates.
114
SSL & TLS Essentials: Securing the Web
Client
Server 1
not secured
secured with export cipher suite
secured with fullstrength cipher suite
ClientHello (export cipher suites) ServerHello ( export cipher suite)
2
Certificate (International Step-Up)
3
ServerHelloDone
4
5
ClientKeyExchange
6
ChangeCipherSpec
7
Finished
10
not secured
ChangeCipherSpec
8
Finished
9
ClientHello (full-strength ciphers) ServerHello ( full-strength cipher )
11
Certificate
12
ServerHelloDone
13
ChangeCipherSpec
17
Finished
18
14
ClientKeyExchange
15
ChangeCipherSpec
16
Finished
Figure 5-5 International Step-Up negotiates cipher suites twice.
secured with export cipher suite
fullstrength
Advanced SSL
115
5.3 Microsoft Server Gated Cryptography Microsoft’s Internet Explorer has a capability very similar to Netscape’s International Step-Up. Microsoft calls its technology Server Gated Cryptography (SGC), which reflects the role the server plays in enabling the client to use full-strength cryptography. The principles behind Server Gated Cryptography are identical to those of International Step-Up. Clients begin a negotiation by proposing only export-strength cipher suites. W hen they see a special object in the server’s certificate, however, they renegotiate the cipher suite using full-strength encryption algorithms. There are, however, two important details in which Server Gated Cryptography differs from International Step-Up: the specific object identifier in the server certificate and the exact mechanism the client uses to renegotiate the handshake.
5.3.1 Server Gated Cryptography Certificates Like International Step-Up, servers that qualify for Server Gated Cryptography use certificates with a special object identifier in the extended key usage field. The particular value for SGC is 1.3.6.1.4.1.311.10.3.3. Equally important, those certificates are issued by a certificate authority approved by U S. export regulators. As of this writing, the only authority that has the necessary approval is VeriSign, the same authority that issues International Step-Up certificates. In fact, VeriSign does not issue separate certificates for International StepUp and Server Gated Cryptography. It issues a single certificate, which VeriSign calls a Global Secure ID , that has both extended key usage objects included in it. The same server certificate, therefore, supports both International Step-Up and Server Gated Cryptography.
5.3.2 Cipher Suite Renegotiation Another difference between Server Gated Cryptography and International Step-Up is the approach used to renegotiate the cipher suite
116
SSL & TLS Essentials: Securing the Web
Client
Server 1
not secured
fullstrength
5
ClientHello (export cipher suites) ServerHello ( export cipher suite)
2
Certificate (with SGC)
3
ServerHelloDone
4
ClientHello (full-strength ciphers) ServerHello ( full-strength cipher )
6
Certificate
7
ServerHelloDone
8
9
ClientKeyExchange
10
ChangeCipherSpec
11
Finished ChangeCipherSpec
12
Finished
13
not secured
fullstrength
Figure 5-6 Server Gated Cryptography resets cipher suite negotiation.
to a full-strength version. Figure 5- 6 shows the sequence of messages for Server Gated Cryptography. A comparison with figure 5- 5 shows that the key difference begins with step 5. W hile International Step-Up completes the initial handshake for export-strength ciphers and renegotiates after that handshake is complete, Server Gated Cryptography effectively aborts the
Advanced SSL
117
initial handshake and sends a new ClientH ello message at step 5. This new ClientH ello proposes stronger encryption parameters, allowing the server to select full-strength security for the session. Two aspects of this approach to cipher suite renegotiation are worth elaboration. First, some of the documentation on Server Gated Cryptography available from Microsoft appears to imply that a special “reset” message precedes the second ClientH ello of step 5. This is not the case, at least with versions 4.0 1 and 5.0 of Internet Explorer. The client simply sends a new ClientH ello as soon as it receives the ServerH elloDone. There is nothing special about this ClientH ello message. (It does not, for example, include a T CP reset.) W ith Server Gated Cryptography, any “reset” is merely implied by the second ClientH ello. Second, the SSL standard is not completely clear as to whether the SGC approach is permitted. It is not clearly illegal, however, and it does work appropriately. Given the widespread deployment of Internet Explorer and Microsoft Web servers, the point is probably academic anyway.
5.4 The Transport Layer Security Protocol Although the Secure Sockets Layer protocol was originally developed primarily by Netscape, the protocol has become so critical to the operation of the Internet that the Internet Engineering Task Force (I E T F ) has, with Netscape’s blessing, taken over future development of SSL standards. For several reasons, including a desire to more clearly distinguish SSL from ongoing work with the I P Security (I P SEC ) protocol, the I E T F rechristened the protocol with the name Transport Layer Security, or T LS. The T LS specification represents a relatively modest, incremental improvement to the SSL protocol. There is far less difference, for example, between SSL version 3.0 and T LS than there is between SSL versions 2.0 and 3.0. In fact, there are really only a few significant changes between SSL and T LS, which table 5- 2 summarizes. The remainder of this section details these changes in seven subsections, which correspond to the items in table 5- 2.
118
SSL & TLS Essentials: Securing the Web
Table 5-2 Differences between SSL and TLS SSL v3.0
TLS v1.0
Protocol version in messages
3.0
3.1
Alert protocol message types
12
23
ad hoc
standard
Message authentication Key material generation CertificateVerify Finished Baseline cipher suites
ad hoc
PRF
complex
simple
ad hoc
PRF
includes Fortezza
no Fortezza
5.4.1 TLS Protocol Version Perhaps it is unfortunate that the I E T F decided to rename SSL to T LS. That decision has certainly introduced some confusion in the version numbers for the T LS protocol. The existing Transport Layer Security standard is named version 1.0. Indeed, it is the first version of T LS. H owever, in order to maintain interoperability with SSL version 3.0 systems (see section 5.4.8), the protocol version reported in the actual protocol messages must be greater than 3.0. Because T LS is a modest rather than a drastic improvement over SSL , T LS designers have specified that the protocol version that appears in T LS messages be 3.1. Presumably, should T LS ever undergo a major revision itself, the new protocol would be named version 2.0, but would be indicated in the protocol messages as 4.0.
5.4.2 Alert Protocol Message Types One of the areas in which T LS improves on SSL is in its procedures for notification of potential and actual security alerts. In particular, T LS defines almost twice as many alert descriptions. Table 5- 3 provides the complete list of T LS alerts. It also marks which of those are new to T LS (with a bullet in the leftmost column), and it emphasizes the fact that alert description 41 (NoCertificate) was deleted in T LS. The T LS specification removed this alert because, in practice, it was difficult to implement. Successfully interpreting the NoCertificate alert requires a high level of synchronization between the Alert and
Advanced SSL
119
H andshake protocols, a synchronization that is otherwise not needed. To eliminate the requirement for this synchronization, T LS has clients that do not have appropriate certificates simply return an empty Certificate message. Table 5-3 TLS Alert Descriptions Value
Name
Meaning
0
CloseNotify
The sending party indicates explicitly that it is closing the connection; closure alerts have a warning severity level.
10
UnexpectedMessage
The sending party indicates that it received an improper message; this alert is always fatal.
BadRecord-
The sending party indicates that it received a message with a bad message authentication code; this alert is always fatal.
20
MAC
•
21
DecryptionFailed
The sending party indicates that a message it decrypted was invalid (e.g., it was not a multiple of the block size or had invalid padding); this alert is always fatal.
•
22
RecordOverflow
The sending party indicates that a message it received was, after decryption or 14 decompression, more than 2 +2048 bytes; this message is always fatal.
30
DecompressionFailure
The sending party indicates that it received data that it could not decompress; this alert is always fatal.
40
HandShakeFailure
The sending party indicates that it was not able to negotiate an acceptable set of security services for the session; this alert is always fatal.
41
NoCertificate
The sending party (which is always a client) indicates that it has no certificate that can satisfy the server’s CertificateRequest.
42
BadCertificate
The sending party received a certificate that was corrupt (e.g., its signature could not be verified).
43
UnsupportedCertificate
The sending party received a certificate of a type that it could not support.
120
SSL & TLS Essentials: Securing the Web
Value
Name
Meaning
44
CertificateRevoked
The sending party received a certificate that has been revoked by the certificate authority.
45
CertificateExpired
The sending party received a certificate that has expired.
46
CertificateUnknown
The sending party indicates an unspecified problem with a received certificate.
47
IllegalParameter
The sending party indicates that it received a handshake message with a parameter value that was illegal or inconsistent with other parameters.
•
48
Unknown CA
The sending party indicates that it could not identify or does not trust the certificate authority of a received certificate chain; this message is always fatal.
•
49
AccessDenied
The sending party indicates that the party identified in the peer’s certificate does not have access rights to continue negotiation; this error is always fatal.
•
50
DecodeError
The sending party indicates that a received message could not be decoded because a field value was out of the permitted range or the message length was invalid; this message is always fatal.
•
51
DecryptError
The sending party indicates that a cryptographic operation essential to the handshake negotiation failed.
•
60
ExportRestriction
The sending party indicates that it detected a negotiation parameter not in compliance with applicable U.S. export restrictions; this message is always fatal.
•
70
ProtocolVersion
The sending party indicates that it cannot support the requested TLS protocol version; this message is always fatal.
•
71
InsufficientSecurity
The sending party (always a server) indicates that it requires cipher suites more secure than those supported by the client; this message is always fatal.
Advanced SSL
121
Value
Name
Meaning
•
80
InternalError
The sending party indicates that an error local to its operation and independent of the TLS protocol (such as a memory allocation failure) makes it impossible to continue; this message is always fatal.
•
90
UserCanceled
The sending party indicates that it wishes to cancel the handshake negotiation for reasons other than a protocol failure; this message is typically a warning and should be followed by a CloseNotify.
•
100
NoRenegotiation
The sender indicates that it cannot comply with the peer’s request to renegotiate the TLS handshake; this message is always a warning.
5.4.3 Message Authentication Another area in which T LS improves on SSL is in the algorithms for message authentication. The way SSL message authentication combines key information and application data is rather ad hoc, created just for the SSL protocol. The T LS protocol, on the other hand, relies on a standard message authentication code known as H hM AC (for H ashed Message Authentication Code). The H hM AC algorithm is a defined standard, and has been subjected to rigorous cryptographic analysis. The H hM AC specification (see the References section) includes a precise description of the approach, as well as sample source code, but figure 5- 7 illustrates H hM AC in a format that can be compared with other figures in this text. Note that H hM AC does not specify a particular hash algorithm (such as M D or SH A ); rather, it works effectively with any competent hash algorithm. The T LS message authentication code is a straightforward application of the H hM AC standard. The M AC is the result of the H hM AC approach, using whatever hash algorithm the negotiated cipher suite requires. The H hM AC secret is the M AC write secret derived from the master secret. Table 5- 4 lists the information that is protected.
122
SSL & TLS Essentials: Securing the Web
64 bytes
64 bytes
secret
64 bytes of 0x36
0, 0, 0, ..., 0 Exclusive-OR
exclusive-OR output
data to protect
H( )
64 bytes of 0x5C
Exclusive-OR
exclusive-OR output
hash
H( )
MAC
Figure 5-7 Hashed MAC works with any hash algorithm. Table 5-4 Data Protected by TLS Message Authentication Code Data Protected by H-MAC
• Sequence number • TLS protocol message type • TLS version (e.g., 3.1) • Message length • Message contents
Advanced SSL
123
5.4.4 Key Material Generation Building on the H !M AC standard, T LS defines a procedure for using H !M AC to create pseudorandom output. This procedure takes a secret value and an initial seed value (which can be quite small), and securely generates random output. The procedure can create as much random output as necessary. Figure 5- 8 illustrates the procedure, and table 5- 5 lists its steps. As with the H !M AC standard, the procedure does not rely on a particular hash algorithm. Any hash algorithm, including M D " and SH A may be used for the pseudorandom output. Table 5-5 Creating Intermediate Pseudorandom Output Step
secret
Procedure
1
Calculate H-MAC of the secret and the seed.
2
Calculate H-MAC of the secret and the results of the previous step; the result is the first part of the pseudorandom output.
3
Calculate H-MAC of the secret and the results of the previous step; the result is the next part of the pseudorandom output.
4
Repeat step 3 as many times as required to product sufficient pseudorandom output. seed
HMAC
HMAC
H-MAC
HMAC
H-MAC
HMAC
H-MAC
. . . Figure 5-8 TLS uses H-MAC to generate pseudorandom output.
pseudorandom output
124
SSL & TLS Essentials: Securing the Web
For one additional refinement, T LS uses the pseudorandom output procedure to create a pseudorandom function, or P RF . The P RF combines two separate instances of the pseudorandom output procedure; one uses the M D # hash algorithm and the other uses the SH A hash algorithm. The T LS standard specifies a function that uses both algorithms just in case one of the two is ever found to be insecure. Should that happen, the other algorithm will still protect the data. The P RF appears in figure 5- 9. It starts with a secret value, a seed value, and a label. As the figure shows, the function splits the secret into two parts, one for the M D # hash and the other for the SH A hash. It also combines the label and the seed into a single value. Table 5- 6 lists the detailed steps. Note that the M D # and SH A hash outputs are of different lengths (16 and 20 bytes, respectively), so the pseudorandom output generation may require a different number of iterations for steps 2 and 3 in the table.
secret
S1
label
S2
label
seed
seed
PMD5
PSHA
P-MD5
P-SHA
Exclusive-OR
PRF
Figure 5-9 TLS’s Pseudorandom function uses both MD5 and SHA.
Advanced SSL
125
Table 5-6 TLS Pseudorandom Function Step
Procedure
1
Split the secret into two equal parts; if the secret consists of an odd number of bytes, include the middle byte in each part. (It’s the last byte of the first part and the first byte of the second part.)
2
Generate pseudorandom output using the first part of the secret, the MD5 hash function, and the combined label and seed.
3
Generate pseudorandom output using the second part of the secret, the SHA hash function, and the combined label and seed.
4
Exclusive-OR the results from steps 2 and 3.
W ith an understanding of the T LS P RF , it now possible to describe how T LS creates key material. The principle is the same as with SSL . Each system starts with the premaster secret; next it creates the master secret. Then, it generates the required key material from the master secret. To generate the key material, T LS relies on the P RF . Input values to the P RF are the master secret (as the secret), the ASCI I string “key expansion” (as the label), and the concatenation of the server’s random value and the client’s random value for the seed. The 48-byte master secret itself is also computed using the P RF . The input values, in this case, are the premaster secret, the ASCI I string “master secret” (as the label), and the concatenation of the client’s random value and the server’s random value. Figure 5- 10 illustrates both steps in the process.
5.4.5 CertificateVerify Transport Layer Security also differs from SSL in the details of the CertificateVerify function. In SSL , the signed information in the CertificateVerify function consists of a complex, two-level hash of handshake messages, master secrets, and padding. (See section 4.5.8.) In the case of T LS, the signed information is simply the handshake messages previously exchanged during the session.
126
SSL & TLS Essentials: Securing the Web
premaster secret
"master secret"
client random
server random
PRF
master secret
"key expansion"
server random
client random
PRF
key material
Figure 5-10 TLS uses its PRF to create the master secret and key material.
5.4.6 Finished The T LS specification also simplifies, slightly, the contents of the Finished message. For T LS, the sole contents of the Finished message are 12 bytes created by applying the P RF to the master secret, the label “client finished” (for clients) or “server finished” (for servers), and the concatenation of the M D $ hash of all handshake messages and the SH A hash of all handshake messages. Figure 5- 11 shows the calculation graphically.
5.4.7 Baseline Cipher Suites As a baseline, T LS supports nearly the same set of cipher suites as SSL ; however, explicit support for Fortezza/ DM S cipher suites has been removed. The set of defined T LS cipher suites will likely expand as new cipher suites are developed and implemented. Because the I E T F has a well-defined process for evaluating these proposals, enhancements will be much easier to add to T LS than they were to SSL . Table 5- 7 lists the baseline T LS cipher suites, along with their values in hello messages.
Advanced SSL
127
Handshake Messages...
MD5
SHA
master secret
client/server label
MD5 hash
SHA hash
PRF
verify data (12 bytes)
Figure 5-11 TLS uses the PRF for Finished messages.
Table 5-7 TLS Version 1.0 Baseline CipherSuite Values Value
Cipher Suite
0,0
TLS_NULL_WITH_NULL_NULL
0,1
TLS_RSA_WITH_NULL_MD5
0,2
TLS_RSA_WITH_NULL_SHA
0,3
TLS_RSA_EXPORT_WITH_RC4_40_MD5
0,4
TLS_RSA_WITH_RC4_128_MD5
0,5
TLS_RSA_WITH_RC4_128_SHA
0,6
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
0,7
TLS_RSA_WITH_IDEA_CBC_SHA
0,8
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
0,9
TLS_RSA_WITH_DES_CBC_SHA
0,10
TLS_RSA_WITH_3DES_EDE_CBC_SHA
0,11
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
0,12
TLS_DH_DSS_WITH_DES_CBC_SHA
0,13
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
0,14
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
128
SSL & TLS Essentials: Securing the Web
0,15
TLS_DH_RSA_WITH_DES_CBC_SHA
0,16
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
0,17
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
0,18
TLS_DHE_DSS_WITH_DES_CBC_SHA
0,19
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
0,20
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
0,21
TLS_DHE_RSA_WITH_DES_CBC_SHA
0,22
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
0,23
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
0,24
TLS_DH_anon_WITH_RC4_128_MD5
0,25
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
0,26
TLS_DH_anon_WITH_DES_CBC_SHA
0,27
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
5.4.8 Interoperability with SSL As was the case with the transition from SSL version 2.0 to SSL version 3.0, there is a well-defined approach for systems to support both SSL %&' and T LS 1.0 in an interoperable manner. Indeed, the process is essentially the same as that described in section 5.1.1. A client that supports both SSL version 3.0 and T LS version 1.0 should send an SSL version 3.0 ClientH ello, but with the protocol version set to 3.1. If the server understands T LS, it responds with a T LS ServerH ello; otherwise, it responds with an SSL ServerH ello, and the client knows to fall back to SSL version 3.0. Servers that support T LS, even if they don’t support SSL , should still be prepared to accept an SSL V%&' ClientH ello. If they receive such a message with the version set to 3.1, they can safely proceed with a T LS handshake.
5.5 The Future of SSL and TLS The future evolution of SSL and T LS is clearly in the hands of the I E T F , as well as developers of Web browsers, Web servers, and other Internet systems that require security. Version 3.0 of SSL is well established in these areas, and, as more systems connect to the Internet
Advanced SSL
129
and more Internet transactions require security, SSL ’s influence will only grow. Already, devices ranging from WebTV receivers to Palm computers include implementations of SSL or T LS. In addition, applications other than for regular Web commerce are realizing the benefits of an effective network security protocol. The Open Settlement 2 Protocol, for example, relies on SSL to secure I P -based telephony services; and the W ireless Application Protocol Forum has defined a 3 variation of T LS for securing handheld devices. The shift from SSL as a proprietary technology to T LS as an open standard will also strengthen the protocol. Now that T LS is administered by an international standards organization, participation in its development is open to any interested party. The T LS standardization process gives the network security community much more freedom to improve and enhance the protocol’s operation. Should a new vulnerability be discovered, or should new, more effective cryptographic algorithms be developed, it will be much easier to modify T LS appropriately. This benefit alone insures that, under its new name, SSL will continue to secure Internet communications for years to come.
_________________ 2 Technical Specification T S 10 1 321 from the European Telecommunications Standards Institute, available at http://www.etsi.org. 3 The W ireless Transport Layer Security (W T LS) specification is available at http://www.wapforum.org.
Appendix A X.509 Certificates
The Secure Sockets Layer protocol does not depend on a particular format for the public key certificates it exchanges. As far as SSL is concerned, a certificate is just an arbitrary set of bytes. Practical SSL deployments and implementations, however, depend heavily on the specifics of those certificates. Client implementations, for example, must verify a server’s certificate and extract the server’s public key information from the certificate in order to encrypt the ClientKeyExchange contents. And, although the SSL protocol itself does not worry about certificate details, a thorough understanding of public key certificates is critical to any SSL implementation. One particular international standard is widely accepted as the appropriate format for public key certificates. That standard is from the International Telecommunications Union (I T U ), and it is universally known by its I T U specification number: X()*+. This appendix takes a closer look at the X()*+ standard. It begins with an overview of X()*+ certificates; the overview provides a high-level description of the certificate format, but it does not include extensive detail. For readers who want to understand X()*+ at a detailed level, the following two sections are included. Section A (a explains Abstract Syntax Notation One (ASN .1), a special data description language used extensively in the X()*+ (and many other I T U ) specifications. Some understanding of ASN .1 is essential for the third section of this appendix, which looks at X()*+ certificates in depth. The fourth and final section includes a complete example certificate, which shows how to read the actual certificate byte by byte. This section also discusses important aspects of constructing and interpreting X()*+ certificates.
131
132
SSL & TLS Essentials: Securing the Web
A.1 X.509 Certificate Overview Certificates that conform to the latest X,-/0 standard can contain as many as 11 different fields. Their order in the certificate corresponds to the illustration of figure A - 1. Note though, that the field names in the figure are not the same as the names in the X,-/0 standard. To this writer, some of the X,-/0 field names seem quite confusing. Reluctantly, therefore, the figure and the following discussion take the 1 liberty of renaming the fields to more reasonable labels.
A.1.1 Version The Version field identifies the particular version of the X,-/0 standard to which the certificate conforms. As of this writing, the latest version of the X,-/0 standard is 3. Note, though, that for this field within the certificate, version numbers begin with 0 rather than 1. Consequently, the version number that appears in X,-/0 version 3 certificates is 2. Version Serial Number Algorithm Identifier
Called "Signature" in standard
Issuer Period of Validity Subject Subject's Public Key Issuer Unique ID Subject Unique ID Extensions Signature
Called "Encrypted" in standard
Figure A-1 An X.509 certificate contains fewer than a dozen items. _________________ 1 Other authors, including Kaufman, Perlman, and Speciner (see References), have also adopted this approach.
X.509 Certificates
133
A.1.2 Serial Number The Serial Number is a value assigned by the certificate authority to an individual certificate. Presumably, the CA ensures that the value is unique for every certificate it issues. The certificate authority has complete control over this field, though, and can put any value whatsoever here.
A.1.3 Algorithm Identifier The Algorithm Identifier is one of the fields that is named differently in the standard. The X1356 specification calls this field the Signature. That choice is particularly inappropriate, because the field doesn’t contain a signature at all. Instead, as the name used here implies, the field simply identifies the algorithm used to sign the certificate, as well as any parameters pertinent to that algorithm. This information is actually repeated in the “encrypted” part of the certificate. Most implementations choose to use the information from that section, effectively ignoring this value.
A.1.4 Issuer The Issuer field identifies the certificate authority that issued the certificate. It takes the form of a distinguished name. A distinguished name is a hierarchy, often starting with a country and then dividing into state or province, organizations, organizational units, and so on. Theoretically, a distinguished name may extend all the way to an individual. Certificate authorities have historically been rather liberal in their interpretation of this hierarchy. The organizational unit element, for example, is often used to hold miscellaneous information relating to the authority. The example certificate of section A17 demonstrates this practice.
A.1.5 Period of Validity The Period of Validity identifies both the earliest and latest times that the certificate is valid. O utside of the bounds this field asserts, the certificate should not be considered valid.
134
SSL & TLS Essentials: Securing the Web
A.1.6 Subject The Subject field identifies the entity that owns the private key being certified. Like the Issuer field, this field takes the form of a distinguished name, and, as with the Issuer, certificate authorities have historically interpreted the distinguished name hierarchy quite liberally. Generally, the most important element in the subject’s name is the element known as the commonName. The commonName is typically the actual name of the subject being certified.
A.1.7 Subject ’s Public Key This field contains the subject’s public key, and is, in effect, the whole reason for the certificate. This field also identifies the algorithm and its parameters. As an example, if the public key algorithm is RSA , then this field will contain the modulus and public exponent. Note that this information is different from the information in the Signature and Algorithm Identifier fields of the certificate. Those two fields identify the algorithm of the certificate authority’s public key, the key used to sign the certificate. This field identifies the subject’s public key.
A.1.8 Issuer Unique Identifier This optional field, which was introduced in X89:; version 2, permits two different issuers to have the same Issuer distinguished name. Such issuers would be distinguished from each other by having different values for the Issuer Unique Identifier. As a practical matter, this field is rarely used.
A.1.9 Subject Unique Identifier This optional field, also introduced in X89:; version 2, permits two different subjects to have the same distinguished name. For example, two different people in the same organization might be named Stephen Thomas. Such subjects would be distinguished by different values for this field. As a practical matter, like the Issuer Unique Identifier, the Subject Unique Identifier field is rarely used.
X.509 Certificates
135
A.1.10 Extensions The Extensions field was introduced in version 3 of X? (the latest version as of this writing). It provides a place for issuers to add their own private information to the certificate. As discussed in Chapter 5, this is the area where the special object identifiers for Netscape’s International Step-Up and Microsoft’s Server Gated Cryptography appear. Certificate authorities frequently use this area for miscellaneous information related to the certificate. The sample certificate of section A